[Libguestfs] [PATCH] fuse: UID 0 should override all permissions checks (RHBZ#1106548).

Pino Toscano ptoscano at redhat.com
Fri Jun 13 16:14:26 UTC 2014 

On Thursday 12 June 2014 13:32:54 Richard W.M. Jones wrote:
> Previously if you were root, and you tried to change directory into a
> directory which was not owned by you and not readable (eg. 0700
> bin:bin), it would fail.
> 
> This doesn't fail on regular directories because when you are root the
> kernel just ignores permissions.
> 
> Although libguestfs in general tries not to duplicate kernel code, in
> the case where we emulate the FUSE access(2) system call,
> unfortunately we have to do it by stat-ing the object and performing
> some (half-arsed) heuristics.
> 
> This commit modifies the FUSE access(2) system call, so root is now
> able to chdir to any directory.

I've taken a look at few non-trivial FUSE filesystems, and none of them 
seems to implement the access operation. I guess this means the kernel 
does all the job by itself based on the permissions.
On the other hand, removing the access operation makes test-fuse.sh fail 
in the chmod part, at:
  [ ! -x new ]
interestingly enough, the permissions of "new" at that point are fine 
(no -x), and strace'ing that test command gives
  access("new", X_OK)                     = 0
so I'm puzzled...

Interestingly enough, even trying the allow_root and allow_other FUSE 
options makes no difference.

So I'd say to commit this for now; just one note below.

> It also adds some debugging so we can debug these complex permissions
> checks in the field if some other problem arises in future.
> [...]
> +  debug (g, "%s: "
> +         "testing access mask%s%s%s%s: "
> +         "caller UID:GID = %d:%d, "
> +         "file UID:GID = %d:%d, "
> +         "file mode = %o, "
> +         "result = %s",
> +         path,
> +         mask & R_OK ? " R_OK" : "",
> +         mask & W_OK ? " W_OK" : "",
> +         mask & X_OK ? " X_OK" : "",
> +         mask == 0 ? " 0" : "",
> +         fuse->uid, fuse->gid,
> +         statbuf.st_uid, statbuf.st_gid,
> +         statbuf.st_mode,
> +         ok ? "OK" : "EACCESS");

Would it be possible to split most of this debug right after the 
mount_local_getattr invocation, so early returns have this debug as 
well?

Thanks,
-- 
Pino Toscano

More information about the Libguestfs mailing list