Re: [fuse-devel] asking for some access control guidelines

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

> By default, if Alice mounts a FUSE filesystem, Bob won't be allowed to
> use that. In a bit twisted way, the primary reason for this is not to
> protect Alice from Bob, but vica versa: save Bob from Alice spying on
> him. That is, a mount point is pretty transparent thing in Unix, and if
> Bob crossed Alice's mount point by accident, from that on Alice can
> trace Bob's actions (until he leaves her realm).
> 
> That's got right both in the Linux and the FreeBSD implementations,
> there is some difference though. Is this restriction intended to protect
> Alice from Bob as well (not out of necessity, just by choice)?

IIRC originally yes, but it would make a lot of sense to separate the
two functions.

> When writing the FBSD module, my perception was that the answer is "no".
> However, this implies a somewhat different default behaviour on FreeBSD
> than it is on Linux:
> 
>  * in FreeBSD the "Bob is not allowed to use Alice's fs" is a dynamic
>    property, in Linux it's not. That is, in FreeBSD Bob can knowingly
>    decide on to use Alice's fs (by doing a secondary mount of the fuse
>    device identifying the fs -- there is a one-to-one device-mount
>    correspondence in FBSD). (Alice can prevent this by "-o private", but
>    that's not the default.)
> 
>  * in FreeBSD, if Alice had stronger privileges than Bob (she is allowed
>    to trace Bob's processes), then Bob won't be disallowed to use her fs
>    (because she could get that trace info anyway). In Linux noone
>    can use noone else's fs by default.
>   
>    Eg., an fs with a root privileged daemon will be seen by anyone in
>    FreeBSD, but only by root in Linux.

Right.

> I think both approaches are consistent in themselves, but this
> difference can make a difference. In my reading if an fs maker wants to
> protect Alice (the fs owner) from Bob, then the respective access
> control mechanisms has to be implemented in the fs domain. However,
> someone who grew up Linux FUSE will readily think that the kernel will
> do the job of protecting Alice from Bob and will rely on the kernel.
> 
> Miklos, as per your "spec", which of the above ideas is right? 

I think the kernel should handle protecting Bob, and the library
should handle protecting Alice.

> The concrete example I have at hand is Encfs. It seems to be a
> natural assumption that if Alice mounts his private stuff via Encfs,
> then Bob shouldn't see it, not by default at least. I just made Encfs
> working on FreeBSD and I saw that it doesn't implement "protect Alice
> from Bob" type access control mechanisms...

OK, let's add the "protect Alice" function to libfuse.  On Linux it
will be redundant, but the cost of the check is minimal.

Miklos