From: Ralph C. <ra...@in...> - 2008-05-24 18:11:43
|
Hi, On Ubuntu 8.04, we've ~/.gvfs for users of the gnome desktop. $ cd && df .gvfs && mount | grep gvfs Filesystem 1K-blocks Used Available Use% Mounted on gvfs-fuse-daemon 12626332 5147228 7479104 41% /home/ralph/.gvfs gvfs-fuse-daemon on /home/ralph/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=ralph) $ This causes problems because it breaks the normal Unix paradigm of root can access anything. I understand why, so a plebeian user can't introduce a DoS as described in Documentation/filesystems/fuse.txt, but it's causing existing well-behaved jobs, e.g. using tar as root to backup /home, to fail. $ sudo tar cf /dev/null .gvfs .bash_profile tar: .gvfs: Cannot stat: Permission denied tar: Error exit delayed from previous errors $ echo $? 2 $ Adding tar's --one-file-system in this particular case doesn't help since the stat must still occur before tar can spot it's a different filesystem. I'm aware of the allow_* options to fusermount but I'm not quite clear if the allow_root one will help. Where's the best description of these? It isn't fusermount(1). I wondered if another option would be for root to see an empty directory that's another filesystem. This would mean that options to avoid crossing filesystem boundaries, e.g. find's -xdev, would work and things that didn't check would only see an empty directory anyway so they couldn't be DoS by whatever the user had mounted there. I'd welcome FUSE opinion on this, I'm just someone bitten by it that's trying to gather information for bugs like https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/225361 BTW, this issue of DoS by a pleb. Since Ubuntu allows users to mount some media, e.g. a USB flash drive or ISO CD, couldn't I concoct a faulty filesystem that had a directory tree loop or similar so a naieve program would find an infinite depth? If so, the system isn't protected from that so perhaps the FUSE protection is overkill? Cheers, Ralph. |