Hi *, Warren told me to post this to fedora-maintainers, so here I am. I prepared a fuse package for fedora-extras. From what I'm told it will probably only be in extras for FC-4 and it seem it might go straight to core devel/rawhide/FC5. Fuse ( http://fuse.sf.net ) allows normal users to mount userspace-filesystems into the file system ( for a complete list of filesystems see http://fuse.sourceforge.net/wiki/index.php/FileSystems ). The logic for this lies in a userspace program that is executed as user, but to mount it needs root permissions. Therefor one file (%{_bindir}/fusermount) is normally installed suid root (4755) by fuse. This might be a security problem and this is the problem with the current package and the reason for this mail. I posted a RFC on this to fedora-extras-list (see https://www.redhat.com/archives/fedora-extras-list/2005-October/msg01506.html and https://www.redhat.com/archives/fedora-extras-list/2005-November/msg00120.html for the whole discussion). Jeremy looked at it and is not very glad with the suid root executable. I agree with him on this issue, but fuse simply does not work without it -- not even when you add a fuse-filesystem to /etc/fstab (for a example see https://www.redhat.com/archives/fedora-extras-list/2005-November/msg00334.html ). Therefor I now use a suid root binary that is only executable for members of a special group named fuse. This still differs all other packages in core (afaik) -- cifs, smbfs, ncpfs for example ship also without suid root -- if the local admin wants to allow users to mount windows shares he has to add them to the /etc/fstab or "chmod +s /sbin/mount.cifs". This of course is reverted with every cifs-update. So guys, what to you think: Should we ship the binary suid root? Or simply ship it with the fuse group but don't suid root the binary? Or without the group (most fuse users/admins will run "chmod +s /usr/bin/fusemount" then and allow fuse for every user -- this IMHO is much more worse than the group). Or any other ideas? Example packages can be found here: http://www.leemhuis.info/files/fedorarpms/SPECS.fdr/fuse.spec http://www.leemhuis.info/files/fedorarpms/SRPMS.fdr/fuse-2.4.1-1.src.rpm http://www.leemhuis.info/files/fedorarpms/SPECS.fdr/fuse-sshfs.spec http://www.leemhuis.info/files/fedorarpms/SRPMS.fdr/fuse-sshfs-1.2-1.src.rpm To try it out on FC4 with all updates applied or rawhide simply do: rpmbuild --rebuild fuse-2.4.1-3.src.rpm sudo rpm -ivh rpmbuild/RPMS/i386/fuse-2.4.1-3.i386.rpm rpmbuild/RPMS/i386/fuse-libs-2.4.1-3.i386.rpm rpmbuild/RPMS/i386/fuse-devel-2.4.1-3.i386.rpm rpmbuild --rebuild fuse-sshfs-1.2-1.src.rpm rpm --rebuild rpmbuild/RPMS/i386/fuse-sshfs-1.2-2.i386.rpm sudo rpm -ivh rpmbuild/RPMS/i386/fuse-sshfs-1.2-2.i386.rpm sudo /usr/sbin/groupadd -a -G ${USER} ssh localhost mkdir fusetest sshfs foo: fusetest/ ls fusetest/ Where foo is the hostname of a machine you normally can connect to via ssh. -- Thorsten Leemhuis <fedora@xxxxxxxxxxxxx>
