On 18.09.2007 16:28, Jeremy Katz wrote: > On Tue, 2007-09-18 at 10:35 +0200, Alexander Larsson wrote: >> On Fri, 2007-09-14 at 10:56 +0200, Thorsten Leemhuis wrote: >>> On 14.09.2007 10:17, Alexander Larsson wrote: >>>>> That's a fuse plugin correct? Uhm... fuse doesn't work out of the box >>>>> in Fedora currently. I _think_ we still ship fuse in such a way that >>>>> you have to manually take some action add users to the fuse group for >>>>> users that get to use fuse. >>>> Yes we do. And this is totally stupid and will cause pain in the future >>>> when all sorts of features (like gvfs) start using fuse. I have no idea >>>> why this was done, but it has to be fixed. >>> Thx for your kind words to your fellow Fedora developers, much >>> appreciated ;-) (¹) >>> I decided that -- but not alone. In fact IIRC I was urged by lots of >>> high-rank-Fedora-developers (including jeremy and someone from the >>> security team IIRC) to *not* ship fuse as a suid-binary for everyone, as >>> back then (in the early days when fuse hit the kernel) it was highly >>> unclear if the fuse userspace tools were safe enough. >>> If that has changed: sure, let's get rid of this extra burden with >>> adding the user to a special group. But that's up to the current >>> maintainer. >> If its not safe then wouldn't a better solution be to fix it or not >> ship/install it. > Making sure that things are safe is definitely the right thing to do. > suid but only group executable is purely a "start to get it in while not > making things less secure by default" While at it maybe someone can explain something about fuse which I never understood: I got a new laptop three months ago. It came with Windows and thus a NTFS partition which I only made smaller, but did not remove -- /dev/sda3 to be precise: $ ls -l /dev/sda3 brw-r----- 1 root disk 8, 3 14. Sep 16:10 /dev/sda3 Okay, it's only read-writable for root and readable for "disk" -- a group which I'm not part of: $ groups thl fuse Thus I'm not even able to read from it: $ dd if=/dev/sda3 bs=512K count=1 | strings dd: opening `/dev/sda3': Permission denied Life sucks, but that's how things are supposed to be in linux/unix land as far as I know. But well, for fuse there seem to exist different rules: $ mkdir ntfs $ /sbin/mount.ntfs-3g /dev/sda3 ntfs/ $ touch ntfs/foo $ ls -l ntfs/foo -rwxrwxrwx 1 thl thl 0 18. Sep 19:27 ntfs/foo Which brings me to my questions: Can somebody please explain why the above it working? Does it mean that if I write my own malicious fuse.ext3 userspace driver that I can mount each and every block-device on my system and read or modify the files on it (all by using fuse)? What if there is a small error in mount.ntfs-3g somewhere -- could it be abused to destroy a partition on my system while being a ordinary user? Just wondering -- maybe I just don't understand the concept of fuse (maybe I'm getting to old for this...). Or maybe there is a bug somewhere in our packages and that above scenario works? Or a side-effect of our "add to fuse-group strategy? Cu knurd -- Fedora-desktop-list mailing list Fedora-desktop-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-desktop-list
