early-gdm redux ( I am sorry my way is better faster... for a desktop )

Thorsten Leemhuis fedora at leemhuis.info
Tue Sep 18 09:34:29 UTC 2007 

On 18.09.2007 10:35, Alexander Larsson wrote:
> On Fri, 2007-09-14 at 10:56 +0200, Thorsten Leemhuis wrote:
>> On 14.09.2007 10:17, Alexander Larsson wrote:
>>>> That's a fuse plugin correct?  Uhm... fuse doesn't work out of the box
>>>> in Fedora currently. I _think_ we still ship fuse in such a way that
>>>> you have to manually take some action add users to the fuse group for
>>>> users that get to use fuse.
>>> Yes we do. And this is totally stupid and will cause pain in the future
>>> when all sorts of features (like gvfs) start using fuse. I have no idea
>>> why this was done, but it has to be fixed.
>> [...]
>> I decided that -- but not alone. In fact IIRC I was urged by lots of
>> high-rank-Fedora-developers (including jeremy and someone from the
>> security team IIRC) to *not* ship fuse as a suid-binary for everyone, as
>> back then (in the early days when fuse hit the kernel) it was highly
>> unclear if the fuse userspace tools were safe enough.
>>
>> If that has changed: sure, let's get rid of this extra burden with
>> adding the user to a special group. But that's up to the current
>> maintainer.
> 
> If its not safe then wouldn't a better solution be to fix it or not
> ship/install it. 

In a perfect world: agreed. But we don't live in one afaics :-/

Fedora is a community distribution, and we IMHO can't put the burden on
packagers to high, as there otherwise won't be much of a community
anymore that takes care of Fedora. "Fix it" would be way to high burden,
as lot's of the Fedora maintainers have only basic or next-to-none
programming skills -- nevertheless they do lots of work for Fedora, and
that's a good thing for Fedora. In "my perfect Fedora world" they
hopefully take over those "easy" tasks from people with more skills, so
the latter have more time for other stuff that requires their skills.

Not shipping something or waiting forever for someone with enough skills
to show up to fix it is not always a real option either afaics, as that
might take so long, that users get disappointed and switch to another
distro, which is also what we don't want.

> Making every user have to be added to the fuse group means:
> 
> 1) Its not useable by default, meaning extra work for all users, and
>    features mystically not working before some magic sysadmin
>    incantation. 
>    (We could make it "easy" to detect this and add users to this group,
>     but then again, why have the group?)

Fully agreed in general. But for fuse it was a compromise back then and
IMHO an acceptable one.

<side note>I *sometimes* wonder if rpm/Fedora should have a (rarely
used!) way for packagers to notify the sysadmin with stuff like "hey,
you installed mysql, but you need to set a password for the database"
(the init scripts from mysqld do exactly that ATM, but one can easily
miss that informations). Similar stuff could be used for fuse for the
problem at hand.</side note>

> 2) When important things in the desktop start requiring fuse everyone
>    will be in the fuse group anyway, meaning any security is lost.
>    (One could say this only happens on "desktop" machines, but if you
>     don't trust fuse userspace on your server, just don't install it
>     there.)

No offense, but well, if "important things in the desktop start
requiring fuse" I suppose people programming that stuff first make sure
it's safe and wise to use fuse, as it might backfire to their apps if
fuse is unsafe.

It's likely nothing more then asking the Fedora developers "can we get
rid of the add-to-a-specific-group stuff for fuse over the next few
months? I want to use fuse for important things in the desktop" *before*
starting to really depend on fuse.

BTW, thanks for working on gvfs2 -- looks promising.

> [...] I just think that this decision has no real value
> security-wise, and it will be quite negative when things actually start
> using fuse. Perhaps it was the right choice early on in the life of
> fuse,

Agreed.

> but i don't think it makes sense by now.

Might be the case. But as I said: I'm not the maintainer anymore. Talk
to him about it (and maybe those core-fedora developers that vetoed
SUID-root fuse back then).

CU
knurd

More information about the Fedora-desktop-list mailing list