fuse (Was Re: early-gdm redux)

Tue Sep 18 17:41:22 UTC 2007

On 18.09.2007 16:28, Jeremy Katz wrote:
> On Tue, 2007-09-18 at 10:35 +0200, Alexander Larsson wrote:
>> On Fri, 2007-09-14 at 10:56 +0200, Thorsten Leemhuis wrote:
>>> On 14.09.2007 10:17, Alexander Larsson wrote:
>>>>> That's a fuse plugin correct?  Uhm... fuse doesn't work out of the box
>>>>> in Fedora currently. I _think_ we still ship fuse in such a way that
>>>>> you have to manually take some action add users to the fuse group for
>>>>> users that get to use fuse.
>>>> Yes we do. And this is totally stupid and will cause pain in the future
>>>> when all sorts of features (like gvfs) start using fuse. I have no idea
>>>> why this was done, but it has to be fixed.
>>> Thx for your kind words to your fellow Fedora developers, much
>>> appreciated ;-) (¹)
>>> I decided that -- but not alone. In fact IIRC I was urged by lots of
>>> high-rank-Fedora-developers (including jeremy and someone from the
>>> security team IIRC) to *not* ship fuse as a suid-binary for everyone, as
>>> back then (in the early days when fuse hit the kernel) it was highly
>>> unclear if the fuse userspace tools were safe enough.
>>> If that has changed: sure, let's get rid of this extra burden with
>>> adding the user to a special group. But that's up to the current
>>> maintainer.
>> If its not safe then wouldn't a better solution be to fix it or not
>> ship/install it. 
> Making sure that things are safe is definitely the right thing to do.
> suid but only group executable is purely a "start to get it in while not
> making things less secure by default"

While at it maybe someone can explain something about fuse which I never
understood:

I got a new laptop three months ago. It came with Windows and thus a
NTFS partition which I only made smaller, but did not remove --
/dev/sda3 to be precise:

$ ls -l /dev/sda3
brw-r----- 1 root disk 8, 3 14. Sep 16:10 /dev/sda3

Okay, it's only read-writable for root and readable for "disk" -- a
group which I'm not part of:

$ groups
thl fuse

Thus I'm not even able to read from it:

$ dd if=/dev/sda3 bs=512K count=1 | strings
dd: opening `/dev/sda3': Permission denied

Life sucks, but that's how things are supposed to be in linux/unix land
as far as I know. But well, for fuse there seem to exist different rules:

$ mkdir ntfs
$ /sbin/mount.ntfs-3g /dev/sda3 ntfs/
$ touch ntfs/foo
$ ls -l ntfs/foo
-rwxrwxrwx 1 thl thl 0 18. Sep 19:27 ntfs/foo

Which brings me to my questions: Can somebody please explain why the
above it working? Does it mean that if I write my own malicious
fuse.ext3 userspace driver that I can mount each and every block-device
on my system and read or modify the files on it (all by using fuse)?
What if there is a small error in mount.ntfs-3g somewhere -- could it be
abused to destroy a partition on my system while being a ordinary user?

Just wondering -- maybe I just don't understand the concept of fuse
(maybe I'm getting to old for this...). Or maybe there is a bug
somewhere in our packages and that above scenario works? Or a
side-effect of our "add to fuse-group strategy?

Cu
knurd