Fuse packages now with use fuse-group and suid binary (Was: RFC: fuse packages)
Thorsten Leemhuis
fedora at leemhuis.info
Fri Nov 4 19:00:13 UTC 2005
Am Donnerstag, den 03.11.2005, 10:36 -0500 schrieb Jeremy Katz:
> On Wed, 2005-11-02 at 21:10 +0100, Thorsten Leemhuis wrote:
> > Am Samstag, den 29.10.2005, 14:32 -0400 schrieb Jeremy Katz:
> > > Why does fusermount need to be suid?
> > AFAICS we have three solutions:
> >
> > 1) do it as upstream does (suid root)
> > 2) create a fusemount group -- only members of that group are allowed to
> > mount fuse-filesystems that are not in /etc/fstab
> > 3) only allow fuse for things listed in /etc/fstab
> >
> > I tent to do 3) and can also live with 2) (if that's possible -- I
> > suppose it is but did not try yet). I don't like 1).
>
> The more I think about it, the more I think that the third is really the
> only "reasonable" solution for now.
I did not get solution 3 to work correctly. So I chose solution 2 (this
is also the scheme that is used by debian afaics). See:
http://www.leemhuis.info/files/fedorarpms/SPECS.fdr/fuse.spec
http://www.leemhuis.info/files/fedorarpms/SRPMS.fdr/fuse-2.4.1-2.src.rpm
http://www.leemhuis.info/files/fedorarpms/SPECS.fdr/fuse-sshfs.spec
http://www.leemhuis.info/files/fedorarpms/SRPMS.fdr/fuse-sshfs-1.2-2.src.rpm
I'm going to submit this to bugzilla as review request at the beginning
of next week if no one complains loudly. (side note: rpmlint does not
like it very much:
$ rpmlint rpmbuild/RPMS/i386/fuse-2.4.1-2.i386.rpm
W: fuse non-conffile-in-etc /etc/udev/rules.d/40-fuse.rules
W: fuse non-conffile-in-etc /etc/makedev.d/z-fuse
E: fuse non-standard-gid /usr/bin/fusermount fuse
E: fuse setuid-binary /usr/bin/fusermount root 04754
E: fuse non-standard-executable-perm /usr/bin/fusermount 04754
W: fuse non-conffile-in-etc /etc/udev/makedev.d/40-fuse.nodes
)
The fuse kernel-module is in the latest rawhide kernel or in this one
for FC4:
http://people.redhat.com/davej/kernels/Fedora/FC4/RPMS.kernel/
It is not in the 2.6.14 kernel currently in updates-testing for FC4 --
but the above kernel or a newer one afaik should hit updates-testing
before 2.6.14 is shipped as official update.
--
Thorsten Leemhuis <fedora at leemhuis.info>
More information about the fedora-extras-list
mailing list