From: Miklos S. <mi...@sz...> - 2006-03-02 19:26:57
|
> By default, if Alice mounts a FUSE filesystem, Bob won't be allowed to > use that. In a bit twisted way, the primary reason for this is not to > protect Alice from Bob, but vica versa: save Bob from Alice spying on > him. That is, a mount point is pretty transparent thing in Unix, and if > Bob crossed Alice's mount point by accident, from that on Alice can > trace Bob's actions (until he leaves her realm). > > That's got right both in the Linux and the FreeBSD implementations, > there is some difference though. Is this restriction intended to protect > Alice from Bob as well (not out of necessity, just by choice)? IIRC originally yes, but it would make a lot of sense to separate the two functions. > When writing the FBSD module, my perception was that the answer is "no". > However, this implies a somewhat different default behaviour on FreeBSD > than it is on Linux: > > * in FreeBSD the "Bob is not allowed to use Alice's fs" is a dynamic > property, in Linux it's not. That is, in FreeBSD Bob can knowingly > decide on to use Alice's fs (by doing a secondary mount of the fuse > device identifying the fs -- there is a one-to-one device-mount > correspondence in FBSD). (Alice can prevent this by "-o private", but > that's not the default.) > > * in FreeBSD, if Alice had stronger privileges than Bob (she is allowed > to trace Bob's processes), then Bob won't be disallowed to use her fs > (because she could get that trace info anyway). In Linux noone > can use noone else's fs by default. > > Eg., an fs with a root privileged daemon will be seen by anyone in > FreeBSD, but only by root in Linux. Right. > I think both approaches are consistent in themselves, but this > difference can make a difference. In my reading if an fs maker wants to > protect Alice (the fs owner) from Bob, then the respective access > control mechanisms has to be implemented in the fs domain. However, > someone who grew up Linux FUSE will readily think that the kernel will > do the job of protecting Alice from Bob and will rely on the kernel. > > Miklos, as per your "spec", which of the above ideas is right? I think the kernel should handle protecting Bob, and the library should handle protecting Alice. > The concrete example I have at hand is Encfs. It seems to be a > natural assumption that if Alice mounts his private stuff via Encfs, > then Bob shouldn't see it, not by default at least. I just made Encfs > working on FreeBSD and I saw that it doesn't implement "protect Alice > from Bob" type access control mechanisms... OK, let's add the "protect Alice" function to libfuse. On Linux it will be redundant, but the cost of the check is minimal. Miklos |