Head Up: Prepare for dropping fuse group in the nearest future
alexl at redhat.com
Wed Feb 6 11:51:34 UTC 2008
On Tue, 2008-02-05 at 18:05 +0100, Thorsten Leemhuis wrote:
> On 05.02.2008 17:10, Peter Lemenkov wrote:
> > Due to landing of upcoming Gnome release in Fedora 9 I decided to drop
> > fuse group.
> > The main reason is that future Gnome VFS will use fuse as a backend,
> > and we wil be forced to add all users into fuse group (if we allow
> > them to use Gnome VFS) what will made the existence of fuse group
> > useless..
> > Any objections?
> Well, when I got fuse integrated into Fedora several well-known and
> long-term Red Hat/Fedora developers said "it needs a security audit
> before we drop the fuse group". Not that long ago when we discussed
> I heard that once or twice again.
Those bugs are not about fuse at all. They are about someone making the
ntfs-3g binary setuid which is completely wrong (i.e. that means any
fuse user could read any block device with an NTFS partition on it).
Generally fuse mounts run as a user and has no access to anything that
the user can't already do. The only part where the setuid thing is
needed is for actually mounting the fuse filesysem. This is a small bit
of code that was designed by upstream to be reviewable and secure.
Now, its true that there is a small bit of setuid code, and it *could*
have a bug in there. However, if that is the case we need to fix that
even if we limit use of fuse to the fuse group. Especially now that fuse
is getting more and more use so that most desktop users will want to be
in that group. If you truly fear fuse, security-wise, the best thing to
do is to not install it.
More information about the fedora-devel-list