On Fri, May 15, 2020 at 10:05 PM Nikolaus Rath <Nikolaus@xxxxxxxx> wrote:
>
> Hello,
>
> I've written a setuid root program that tries to access a FUSE
> mountpoint owned by the calling user. I'm running seteuid(getuid()) to
> drop privileges, but still don't seem to be able to access the
> mountpoint.
>
> Is that a bug or a feature? If it's a feature, is there any other way to
> get access to the mountpoint? All I want is the st_dev value...
It's a feature:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/fs/fuse/dir.c?h=v5.6#n1071
However, st_dev is definitely not something that could be used for DoS
(it's not even controlled by the fuse daemon). The attached patch
(untested) allows querying st_dev with statx(2) and a zero mask
argument.
The other option is to parse /proc/self/mountinfo, but that comes with
some caveats.
Thanks,
Miklos
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index de1e2fde60bd..26f028bc760b 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1689,8 +1689,18 @@ static int fuse_getattr(const struct path *path, struct kstat *stat,
struct inode *inode = d_inode(path->dentry);
struct fuse_conn *fc = get_fuse_conn(inode);
- if (!fuse_allow_current_process(fc))
+ if (!fuse_allow_current_process(fc)) {
+ if (!request_mask) {
+ /*
+ * If user explicitly requested *nothing* then don't
+ * error out, but return st_dev only.
+ */
+ stat->result_mask = 0;
+ stat->dev = inode->i_sb->s_dev;
+ return 0;
+ }
return -EACCES;
+ }
return fuse_update_get_attr(inode, NULL, stat, request_mask, flags);
}
