RFC: fuse packages
Jeremy Katz
katzj at redhat.com
Thu Nov 3 15:36:40 UTC 2005
On Wed, 2005-11-02 at 21:10 +0100, Thorsten Leemhuis wrote:
> Am Samstag, den 29.10.2005, 14:32 -0400 schrieb Jeremy Katz:
> > Why does fusermount need to be suid? None of the other mount "helpers"
> > for things like cifs or smb are. They get invoked by mount which is
> > suid and does checking to see if the user should be able to do the mount
> > they're asking for.
>
> This can work this way with fuse, too -- I just tried it with an updated
> version of my package.
>
> But Fuse explicitly wants to allow the user to mount things that are not
> configured in /etc/fstab. I don't really like this but it seems to be
> one of the fuse design goals (AFAICS).
>
> In the default install every user can mount a fuse-filesystem -- e.g.
> with sshfs mount each and every machine that can be reached by the user
> via ssh. That's IMHO to lax.
>
> AFAICS we have three solutions:
>
> 1) do it as upstream does (suid root)
> 2) create a fusemount group -- only members of that group are allowed to
> mount fuse-filesystems that are not in /etc/fstab
> 3) only allow fuse for things listed in /etc/fstab
>
> I tent to do 3) and can also live with 2) (if that's possible -- I
> suppose it is but did not try yet). I don't like 1).
The more I think about it, the more I think that the third is really the
only "reasonable" solution for now. Obviously the first isn't good
because I'm just shuddering to think of the security implications...
The second really has the worst of both worlds -- there are the security
problems if you add anyone to the group and if you don't, then it's just
like doing the third
Jeremy
More information about the fedora-extras-list
mailing list