New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fuse: allow user configuration of fuse.conf #53074

Open
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
4 participants
@furrycatherder
Copy link
Contributor

furrycatherder commented Dec 30, 2018

Motivation for this change

#53072 requires user_allow_other in fuse.conf to work, this PR makes it user configurable.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@bjornfor

This comment has been minimized.

Copy link
Contributor

bjornfor commented Dec 30, 2018

Doesn't fuse read /etc/fuse.conf, the system-wide config file? What are the consequences of defaulting to user allow other?

@furrycatherder

This comment has been minimized.

Copy link
Contributor

furrycatherder commented Dec 30, 2018

I'm really not sure. I don't have an /etc/fuse.conf.

sean@akita ~> fuse-overlayfs -o lowerdir=/lower -o upperdir=/upper -o workdir=/work /merged
UID=unchanged
GID=unchanged
UPPERDIR=/upper
WORKDIR=/work
LOWERDIR=/lower
MOUNTPOINT=/merged
fusermount3: option allow_other only allowed if 'user_allow_other' is set in /nix/store/mg0gkrvxyl640abb4v961b8ggrzn4vaq-fuse-3.2.6/etc/fuse.conf
fuse-overlayfs: cannot mount: Operation not permitted

It would be nice to find out where this fuse.conf is coming from.

       allow_other
              This option overrides the security measure restricting  file  access  to  the  user
              mounting the filesystem.  So all users (including root) can access the files.  This
              option is by default only allowed to root, but this restriction can be removed with
              a configuration option described in the previous section.

This could be debated but my thought is that most fuse mounts are done within a directory that restricts read access to the mounting user (namely the user's home directory).

@nixos-discourse

This comment has been minimized.

Copy link

nixos-discourse commented Jan 7, 2019

This pull request has been mentioned on Nix community. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review-december/1711/9

@furrycatherder furrycatherder force-pushed the furrycatherder:fuse-conf branch from 8123724 to e24940d Jan 10, 2019

@furrycatherder

This comment has been minimized.

Copy link
Contributor

furrycatherder commented Jan 10, 2019

@bjornfor I changed userAllowOther to default to false, this should be uncontroversial. Can you approve the PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment