Fuse mount: make auto_unmount compatible with suid/dev mount options by matthiasgoergens · Pull Request #762 · libfuse/libfuse

matthiasgoergens · 2023-04-04T08:28:56Z

When you run as root, fuse normally does not call fusermount but uses
the mount system call directly. When you specify auto_unmount, it goes
through fusermount instead. However, fusermount is a setuid binary that
is normally called by regular users, so it cannot in general accept suid
or dev options.

In this patch, we split up how fuse mounts as root when auto_unmount is specified.

First, we mount using system calls directly, then we reach out to fusermount to set up auto_unmount only (with no actual mounting done in fusermount).

Fixes #148

lib/mount.c

util/fusermount.c

matthiasgoergens · 2023-04-04T08:43:39Z

Btw, I'm a bit worried about race conditions for auto_unmount in general. After all, auto_unmount identifies the mountpoint by path only (both in my new usage, and in established usage). Couldn't something happen in between check and unmount?

bsbernd · 2023-04-04T12:26:54Z

Yeah, I had scanned through your patches and the code and also seen the race.

Nikratio · 2023-04-04T14:51:40Z

Thanks for the patch. I am generally not a big fan of auto_unmount, and I don't think I would add this feature today (but it existing we're unfortunately stuck with it).

I've just pushed a commit that explains the drawbacks in more detail: #763

lib/mount.c

util/fusermount.c

Nikratio · 2023-04-06T11:44:21Z

Could you also add a unit tests that checks if this works?

matthiasgoergens · 2023-04-07T12:43:37Z

Yes, working on it.

I discovered a few minor issues when looking at the tests. You've already seen the PRs.

matthiasgoergens · 2023-04-10T05:05:17Z

@Nikratio I added a test.

Nikratio · 2023-04-10T10:38:23Z

Looks like the test discovered some memory leaks.

matthiasgoergens · 2023-04-10T11:24:19Z

Yes, I'll check that. Perhaps it's one I just introduced, even.

matthiasgoergens · 2023-04-10T15:36:23Z

@Nikratio I found the memory leak and fixed it. Weirdly enough, it's in fuse_opt_parse which should have already been suppressed.

More detail: when fuse_opt_parse handles

	{ "source=%s",
	  offsetof(struct lo_data, source), 0 },

in passthrough_ll.c it allocates a brand-new string for us. And that's the one we have to free properly or get scolded for leaking.

matthiasgoergens · 2023-04-10T15:38:00Z

example/passthrough_ll.c


 	} else {
-		lo.source = "/";
+		lo.source = strdup("/");


The true-branch of this if gives us a malloc-ed string. So for symmetry, we make this one a malloced on, too. So we can free without a care further down.

> When you run as root, fuse normally does not call fusermount but uses > the mount system call directly. When you specify auto_unmount, it goes > through fusermount instead. However, fusermount is a setuid binary that > is normally called by regular users, so it cannot in general accept suid > or dev options. In this patch, we split up how fuse mounts as root when `auto_unmount` is specified. First, we mount using system calls directly, then we reach out to fusermount to set up auto_unmount only (with no actual mounting done in fusermount). Fixes libfuse#148

matthiasgoergens · 2023-04-11T13:36:36Z

@Nikratio Does this one need more changes?

test/test_examples.py

Split test into root vs non-root, so that the output of pytest makes clear what functionality is being tested.

matthiasgoergens commented Apr 4, 2023

View reviewed changes

lib/mount.c Outdated Show resolved Hide resolved

lib/mount.c Outdated Show resolved Hide resolved

util/fusermount.c Outdated Show resolved Hide resolved

util/fusermount.c Show resolved Hide resolved

util/fusermount.c Outdated Show resolved Hide resolved

matthiasgoergens mentioned this pull request Apr 4, 2023

fusermount: provide suid,dev for privileged users #759

Closed

Nikratio requested changes Apr 4, 2023

View reviewed changes

matthiasgoergens force-pushed the matthias/fix-dev-suid-2 branch from b035cc2 to cce9598 Compare April 6, 2023 04:01

matthiasgoergens requested a review from Nikratio April 10, 2023 05:14

matthiasgoergens commented Apr 10, 2023

View reviewed changes

matthiasgoergens mentioned this pull request Apr 11, 2023

Stop suppressing memory leak detection #773

Merged

matthiasgoergens added 7 commits April 11, 2023 12:29

Act on review

2833e46

Use MNT_DETACH instead of literal 2

ca8f8e3

Add test

9b1d8d4

Close files

2fb3234

Free source

f8b1cc0

Be extra careful

d0d85c7

Nikratio force-pushed the matthias/fix-dev-suid-2 branch from 50bdd1d to d0d85c7 Compare April 11, 2023 11:29

Merge branch 'master' into matthias/fix-dev-suid-2

5abb0c0

Nikratio reviewed Apr 11, 2023

View reviewed changes

test/test_examples.py Outdated Show resolved Hide resolved

matthiasgoergens added 2 commits April 12, 2023 09:59

Merge branch 'master' into matthias/fix-dev-suid-2

bad79a9

Split test into root vs non-root

4f291a1

Split test into root vs non-root, so that the output of pytest makes clear what functionality is being tested.

matthiasgoergens requested a review from Nikratio April 12, 2023 02:14

Nikratio approved these changes Apr 12, 2023

View reviewed changes

Nikratio merged commit 7297044 into libfuse:master Apr 12, 2023

Comments

Conversation

matthiasgoergens commented Apr 4, 2023

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

matthiasgoergens commented Apr 4, 2023

Uh oh!

bsbernd commented Apr 4, 2023

Uh oh!

Nikratio commented Apr 4, 2023

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Nikratio commented Apr 6, 2023

Uh oh!

matthiasgoergens commented Apr 7, 2023

Uh oh!

matthiasgoergens commented Apr 10, 2023

Uh oh!

Nikratio commented Apr 10, 2023

Uh oh!

matthiasgoergens commented Apr 10, 2023

Uh oh!

matthiasgoergens commented Apr 10, 2023

Uh oh!

matthiasgoergens Apr 10, 2023

Choose a reason for hiding this comment

Uh oh!

matthiasgoergens commented Apr 11, 2023

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants