Skip to content

/osxfuse

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Finder permissioning problem #5

Closed
PeterStegemann opened this issue Aug 2, 2011 · 6 comments
Assignees
@bfleischer
Milestone
2.3.2

Comments

@PeterStegemann
Copy link

@PeterStegemann PeterStegemann commented Aug 2, 2011

Finder is using a root owned helper task "Locum" to perform some operations. With MacOS 10.7., this task is involved in Finders drag and drop operation. These operations fail on MacFUSE/osxfuse drives if they are not mounted with the "allow_other" option. Even though this could be considered as a Finder bug, I suggest changing the permission check in osdxfuse to address this issue and to give the users a flawless working version of osxfuse.

Form a technical perspective, the difference between 10.6. and 10.7. is visible in fuse_match_cred():

This is what we get on 10.7:

uid=502, ruid=0, groups[0]=20, gid=0, svgid=0

And this is what is expected (and is given by 10.6.):

uid=502, ruid=502, groups[0]=20, gid=20, svgid=20

One possible fix is to only check uid and groups in fuse_match_cred(), which seems to be sufficent. Or, as an alternative, only skip checking gid and svgid if they are 0.
@ghost ghost assigned bfleischer Aug 2, 2011
@bfleischer

This comment has been minimized.

Sign in to view
Copy link
Member

@bfleischer bfleischer commented Aug 18, 2011

I can't reproduce the various uid/gid values you are seeing.

On Snow Leopard I get three calls to fuse_match_cred with UID=0 RUID=0 GID=0 RGID=0 SVGID=0 (and a lot with the correct credentials) when I drag one file to the FUSE volume. From then on there are only calls to fuse_match_cred with the correct credentials UID=501 RUID=501 GID=20 RGID=20 SVGID=20.

On Lion I keep getting those UID=0 RUID=0 GID=0 RGID=0 SVGID=0 calls to fuse_match_cred on a regular basis.

As I understand it Snow Leopard falls back to the regular Finder process for moving/copying files after Locum is denied access to the FUSE volume (three times). Lion on the other hand does not seem to fall back on Finder but displays an error message instead.
@bfleischer

This comment has been minimized.

Sign in to view
Copy link
Member

@bfleischer bfleischer commented Aug 18, 2011

Scratch my previous post. Now I'm seeing those calls to fuse_match_cred with UID=501 RUID=0 GID=20 RGID=0 SVGID=0
@PeterStegemann

This comment has been minimized.

Sign in to view
Copy link
Author

@PeterStegemann PeterStegemann commented Aug 18, 2011

On Aug 18, 2011, at 14:45 , bfleischer wrote:

Scratch my previous post. Now I'm seeing those calls to fuse_match with UID=501 RUID=0 GID=20 RGID=0 SVGID=0

I was just thinking about how to reproduce this, as I didn't touch Lion for some weeks :-)

Regards,
Peter
@bfleischer

This comment has been minimized.

Sign in to view
Copy link
Member

@bfleischer bfleischer commented Aug 18, 2011

I'm in favor of just checking EUID and EGID.

  • Any process with EUID/EGID set to our UID/GID is able to change its RUID/RGID to those values. As I understand it checking RUID/GUID does help at all against an "attacker" (process with a different RUID/GUID) who is able to act on behalf of the user who mounted the file system.
  • Any root process can change its UID/GID values to those of any user. Preventing a system process (EUID/EGUID=0) from accessing a FUSE file system is just a form of defense against a misbehaving file system that could hang the system process.

In short: Dropping the checks for RUID/RGID and SVGID should not create a new security thread.
@PeterStegemann

This comment has been minimized.

Sign in to view
Copy link
Author

@PeterStegemann PeterStegemann commented Aug 19, 2011

I 100% agree. And it's a very local change with a low impact of breaking something that worked before.
@bfleischer

This comment has been minimized.

Sign in to view
Copy link
Member

@bfleischer bfleischer commented Aug 19, 2011

Closed. Thanks Peter for tracking the issue down!
@bfleischer bfleischer closed this Aug 19, 2011
bfleischer added a commit that referenced this issue Aug 19, 2011
@bfleischer
Allow a file system request if EUID/EGID of the request match the EUI…
9bd1b9c 
…D/EGID of

the FUSE deamon

This fixes an issue with OS X Lion's Finder which relies on a helper process
called Locum to perform some file system operations. Locum acts on behalf of
the current user (EUID/EGID) but its RUID/RGID are set to root/wheel.
MacFUSE/OSXFUSE used to allow file system requests only if EUID/EGID,
RUID/EGID and SVGID matched the EUID/EGID of the FUSE daemon.

Closes issue #5: Finder permissioning problem
bfleischer added a commit that referenced this issue Nov 4, 2011
@bfleischer
Allow a file system request if EUID/EGID of the request match the EUI…
331211e 
…D/EGID of

the FUSE deamon

This fixes an issue with OS X Lion's Finder which relies on a helper process
called Locum to perform some file system operations. Locum acts on behalf of
the current user (EUID/EGID) but its RUID/RGID are set to root/wheel.
MacFUSE/OSXFUSE used to allow file system requests only if EUID/EGID,
RUID/EGID and SVGID matched the EUID/EGID of the FUSE daemon.

Closes issue #5: Finder permissioning problem
@leeze leeze mentioned this issue Sep 24, 2012
Closed
@pliard-chromium pliard-chromium mentioned this issue Jul 19, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bfleischer bfleischer

Labels
None yet
Projects
None yet
Milestone
  2.3.2
2 participants
@PeterStegemann @bfleischer
You can’t perform that action at this time.