linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Unable to access fuse mountpoint with seteuid()
@ 2020-05-15 20:03 Nikolaus Rath
  2020-05-18  9:32 ` Miklos Szeredi
  0 siblings, 1 reply; 2+ messages in thread
From: Nikolaus Rath @ 2020-05-15 20:03 UTC (permalink / raw)
  To: linux-fsdevel, fuse-devel, miklos

Hello,

I've written a setuid root program that tries to access a FUSE
mountpoint owned by the calling user. I'm running seteuid(getuid()) to
drop privileges, but still don't seem to be able to access the
mountpoint.

Is that a bug or a feature? If it's a feature, is there any other way to
get access to the mountpoint? All I want is the st_dev value...

Best,
-Nikolaus

-- 
GPG Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

             »Time flies like an arrow, fruit flies like a Banana.«

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Unable to access fuse mountpoint with seteuid()
  2020-05-15 20:03 Unable to access fuse mountpoint with seteuid() Nikolaus Rath
@ 2020-05-18  9:32 ` Miklos Szeredi
  0 siblings, 0 replies; 2+ messages in thread
From: Miklos Szeredi @ 2020-05-18  9:32 UTC (permalink / raw)
  To: linux-fsdevel, fuse-devel, miklos

[-- Attachment #1: Type: text/plain, Size: 879 bytes --]

On Fri, May 15, 2020 at 10:05 PM Nikolaus Rath <Nikolaus@rath.org> wrote:
>
> Hello,
>
> I've written a setuid root program that tries to access a FUSE
> mountpoint owned by the calling user. I'm running seteuid(getuid()) to
> drop privileges, but still don't seem to be able to access the
> mountpoint.
>
> Is that a bug or a feature? If it's a feature, is there any other way to
> get access to the mountpoint? All I want is the st_dev value...

It's a feature:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/fs/fuse/dir.c?h=v5.6#n1071

However, st_dev is definitely not something that could be used for DoS
(it's not even controlled by the fuse daemon).  The attached patch
(untested) allows querying st_dev with statx(2) and a zero mask
argument.

The other option is to parse /proc/self/mountinfo, but that comes with
some caveats.

Thanks,
Miklos

[-- Attachment #2: fuse-always-allow-query-of-st_dev.patch --]
[-- Type: text/x-patch, Size: 710 bytes --]

diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index de1e2fde60bd..26f028bc760b 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1689,8 +1689,18 @@ static int fuse_getattr(const struct path *path, struct kstat *stat,
 	struct inode *inode = d_inode(path->dentry);
 	struct fuse_conn *fc = get_fuse_conn(inode);
 
-	if (!fuse_allow_current_process(fc))
+	if (!fuse_allow_current_process(fc)) {
+		if (!request_mask) {
+			/*
+			 * If user explicitly requested *nothing* then don't
+			 * error out, but return st_dev only.
+			 */
+			stat->result_mask = 0;
+			stat->dev = inode->i_sb->s_dev;
+			return 0;
+		}
 		return -EACCES;
+	}
 
 	return fuse_update_get_attr(inode, NULL, stat, request_mask, flags);
 }

^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-05-18  9:33 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-15 20:03 Unable to access fuse mountpoint with seteuid() Nikolaus Rath
2020-05-18  9:32 ` Miklos Szeredi

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).