Index | Thread | Search

From:
Ingo Schwarze <schwarze@usta.de>
Subject:
Re: Skip fuse FS by /usr/libexec/security
To:
"Kirill A. Korinsky" <kirill@korins.ky>
Cc:
tech@openbsd.org, Sylvestre Gallon <ccna.syl@gmail.com>, Helg Bredow <helg@openbsd.org>
Date:
Wed, 15 May 2024 19:06:10 +0200

Download raw body.

Thread 
Hello Kirill,

Kirill A. Korinsky wrote on Wed, May 01, 2024 at 06:00:24PM +0200:
> "Kirill A. Korinsky" <kirill@korins.ky> wrote:

>> With this diff security(8) skips not only non-local filesystem
>> but also filesystem which was moundted via FUSE.

> Anyone?

The fundamental idea may have some merit, but i feel unsure since you
did not explain why you think FUSE filesystems should be skipped.

I'm unsure what FUSE is used for in practice.  The fuse(4) manual
does not help me in that respect.  I'm not even sure how one would
typically mount a FUSE file system as /sbin/mount_fuse does not
appear to exist, nor does fuse(4) reference any other section 8
or section 1 manual pages.

There are large numbers of fuse_*(3) manual pages, so i may be missing
something, but on first sight, those don't help me either to understand
what this might be used for.

On top of that, i fear your patch may be doing about the opposite
of what you supposedly intended to achieve.
How exactly did you test this patch?

Your code says:

  $opt =~ /local/ && $type == /fuse/

Only file systems matching that - i.e. only file systems that
are *both* local and fuse - will be added to the @fs array.
In particular, if no fuse filesystem is mounted, @fs will remain empty.
But right afterwards, the code says:

  return unless @fs;

So you are disabling *all* find_special_files security checks
unless at least one fuse file system is mounted?

Even if at least one fuse file system is mounted, @fs will only
contain the fuse file systems, so the following File::Find(3p)
will only iterate the fuse file systems, still disabling all
checks for all non-fuse file systems.

Sorry in case i'm totally misreading your patch...

Yours,
  Ingo

>> diff --git libexec/security/security libexec/security/security
>> index 12ae7d631c3..caed0b71247 100644
>> --- libexec/security/security
>> +++ libexec/security/security
>> @@ -534,14 +534,14 @@ sub find_special_files {
>>  	%skip = map { $_ => 1 } split ' ', $ENV{SUIDSKIP}
>>  	    if $ENV{SUIDSKIP};
>>  
>> -	# Add mount points of non-local file systems
>> +	# Add mount points of non-local and fuse file systems
>>  	# to the list of directories to skip.
>>  	nag !(open my $fh, '-|', 'mount'),
>>  	    "cannot spawn mount: $!"
>>  	    and return;
>>  	while (<$fh>) {
>> -		my ($path, $opt) = /\son\s+(.*?)\s+type\s+\w+(.*)/;
>> -		push @fs, $path if $path && $opt =~ /local/ &&
>> +		my ($path, $type, $opt) = /\son\s+(.*?)\s+type\s+(\w+)\s+(.*)/;
>> +		push @fs, $path if $path && $opt =~ /local/ && $type == /fuse/ &&
>>  		    !($opt =~ /nodev/ && $opt =~ /nosuid/);
>>  	}
>>  	close_or_nag $fh, "mount" or return;