[fuse-devel] Garnering Suggestions Regarding ~/.gvfs on Ubuntu.

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi,

On Ubuntu 8.04, we've ~/.gvfs for users of the gnome desktop.

    $ cd && df .gvfs && mount | grep gvfs
    Filesystem           1K-blocks      Used Available Use% Mounted on
    gvfs-fuse-daemon      12626332   5147228   7479104  41% /home/ralph/.gvfs
    gvfs-fuse-daemon on /home/ralph/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=ralph)
    $ 

This causes problems because it breaks the normal Unix paradigm of root
can access anything.  I understand why, so a plebeian user can't
introduce a DoS as described in Documentation/filesystems/fuse.txt, but
it's causing existing well-behaved jobs, e.g. using tar as root to
backup /home, to fail.

    $ sudo tar cf /dev/null .gvfs .bash_profile
    tar: .gvfs: Cannot stat: Permission denied
    tar: Error exit delayed from previous errors
    $ echo $?
    2
    $

Adding tar's --one-file-system in this particular case doesn't help
since the stat must still occur before tar can spot it's a different
filesystem.

I'm aware of the allow_* options to fusermount but I'm not quite clear
if the allow_root one will help.  Where's the best description of these?
It isn't fusermount(1).

I wondered if another option would be for root to see an empty directory
that's another filesystem.  This would mean that options to avoid
crossing filesystem boundaries, e.g.  find's -xdev, would work and
things that didn't check would only see an empty directory anyway so
they couldn't be DoS by whatever the user had mounted there.

I'd welcome FUSE opinion on this, I'm just someone bitten by it that's
trying to gather information for bugs like
https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/225361

BTW, this issue of DoS by a pleb.  Since Ubuntu allows users to mount
some media, e.g. a USB flash drive or ISO CD, couldn't I concoct a
faulty filesystem that had a directory tree loop or similar so a naieve
program would find an infinite depth?  If so, the system isn't protected
from that so perhaps the FUSE protection is overkill?

Cheers,

Ralph.