From: <bel...@gm...> - 2006-01-30 15:19:10
|
Hi, I have an unusual behaviour with mutt_dotlock. mutt_dotlock file =3D> fail and strace mutt_dotlock file =3D> succed file is on an encfs mounted folder Encfs: 1.2.5 Kernel: linux 2.6.15 + fuse api 7.3 (debian image 2.6.15-1-686) + libc6-i68= 6 I still use an linux 2.6.8 + fuse 2.2.1 api 5.1 because of this. Perhaps is an unloaded linux module, or something. Can someone help me with this problem? TIA, Bela |
From: Csaba H. <csa...@cr...> - 2006-01-30 15:38:41
|
On 2006-01-30, <bel...@gm...> <bel...@gm...> wrote: > I have an unusual behaviour with mutt_dotlock. > mutt_dotlock file => fail > and > strace mutt_dotlock file => succed I have a guess. Isn't mutt_dotlock setuid? By default, you are the only one who can use the fs (so that you can't spy on other unsuspicious users I/O requests via the fs daemon). A setuid process will be refused for this reason. OTOH, stracing strips off the setuid bit, so then you are allowed to enter the realm. Did you try "-o allow_root" ? Csaba |
From: <bel...@gm...> - 2006-01-30 17:33:32
|
On 1/30/06, Csaba Henk <csa...@cr...> wrote: > > On 2006-01-30, <bel...@gm...> <bel...@gm...> wrote: > > I have an unusual behaviour with mutt_dotlock. > > mutt_dotlock file =3D> fail > > and > > strace mutt_dotlock file =3D> succed > > Isn't mutt_dotlock setuid? > Did you try "-o allow_root" ? > > 10q. You are right. Using "-o allow_root" or removing setuid bit on mutt_dotlock worked. But, why it's working with fuse 2.2.1? It's there a way to tell fuse to use both ids, real and effective? Or something else? Bela |
From: Miklos S. <mi...@sz...> - 2006-01-30 17:48:28
|
> 10q. > You are right. Using "-o allow_root" or removing setuid bit on mutt_dotlock > worked. > > But, why it's working with fuse 2.2.1? Uid checking became more strict in fuse-2.3. See the changelog entry for 2005-04-28: * Make checking of permission for other users more strict. Now the same privilege is required for the mount owner as for ptrace on the process performing the filesystem operation. This makes some setuid programs fail on fuse mounts. > It's there a way to tell fuse to use both ids, real and effective? I don't understand the question. What do you mean by "use"? Miklos |
From: <bel...@gm...> - 2006-01-31 12:17:42
|
On 1/30/06, Miklos Szeredi <mi...@sz...> wrote: > > Uid checking became more strict in fuse-2.3. See the changelog entry > for 2005-04-28: > > * Make checking of permission for other users more strict. Now > the same privilege is required for the mount owner as for ptrace > on the process performing the filesystem operation. > > This makes some setuid programs fail on fuse mounts. Thank you. So, I must use a copy (without setuid bit) for any setuid program that need access to a fuse-mounted directory. > It's there a way to tell fuse to use both ids, real and effective? > > I don't understand the question. What do you mean by "use"? When checking rights, like: granted =3D check(effective) || (real !=3D root && check(real)); but, now I see that its not a good ideea. Bela |
From: Miklos S. <mi...@sz...> - 2006-01-31 12:55:42
|
> Thank you. > > So, I must use a copy (without setuid bit) for any setuid program that need > access to a fuse-mounted directory. Or use -oallow_other. It is quite safe on a single-user system. Miklos |