From: Nikolaus R. <Nik...@ra...> - 2013-06-24 02:00:01
|
Sven Utcke <sve...@pu...> writes: > Hello Heinrich, > >> When implementing on access virus scanning it is desirable to scan >> all file systems mounted in user space. > >> I suggest to provide in /etc/fuse.conf an option "force_allow_root", >> which - when set - forces allow_root whenever a user file system is >> mounted, irrespective of any command line option. >> >> It might be desirable to inform the user about this forced >> allow_root by a console message. > > I absolutely do not think that this would be a good idea. FUSE can be > used to mount filesystems on far away systems, which local root has no > right nor reason to bother with, as well as a number of encrypted > filesystems, which again by their very nature are not for root to > bother with. > > Nope, this seems to be one of the (increasingly many) cases where the > loss in privacy FAR out-weights the gain in security, real or > imagined. And I dare say it's mostly imagined anyway... I agree with you that a force_allow_root feature is not desirable, but I don't agree with your rationale at all. As far as the technical options are concerned, an unprivileged user does not have any protection from local root at all, and thus no expectations of privacy either. If you're relying on not using force_allow_root to prevent the local root from accessing your data, you're in deep trouble already -- adding a force_root option isn't going to change anything about that. As a matter of fact, rather than being worried about a loss of privacy from introducing a force_allow_root option, I'd be much wore worried about a introducing a false sense of privacy by rejecting such an option on grounds of privacy. Of course, legally and ethically the situation is different. But such considerations are independent of there being a force_root option or not. My objection to a force_allow_root option is mostly based on the proposed use-case not making a lot of sense. Doing on-access virus scanning using inotify seems like a bad idea in general, and the trouble with FUSE file systems is just one symptom of that. For example, with kernel namespaces becoming more common, there will surely be additional problems like this one down the read. Also, as far as I know inotify doesn't allow you to intercept access to a file, so the virus scanner will always have to race with other applications if it finds anything. If on-access scanning is really required, the way to do it wouldb probably be hooking into the libc IO functions (like e.g. fakeroot does it). Best, -Nikolaus -- »Time flies like an arrow, fruit flies like a Banana.« PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6 02CF A9AD B7F8 AE4E 425C |