+2005-04-28 Miklos Szeredi <miklos@szeredi.hu>
+
+ * Check for hard-linked directories in lookup. This could cause
+ problems in the VFS, which assumes that such objects never exist.
+
+ * Make checking of permission for other users more strict. Now
+ the same privilege is required for the mount owner as for ptrace
+ on the process performing the filesystem operation.
+
2005-04-23 Miklos Szeredi <miklos@szeredi.hu>
* Released 2.3-pre5
return err;
}
+static int fuse_allow_task(struct fuse_conn *fc, struct task_struct *task)
+{
+ if (fc->flags & FUSE_ALLOW_OTHER)
+ return 1;
+
+ /* Calling into a user-controlled filesystem gives the
+ filesystem daemon ptrace-like capabilities over the
+ requester process. This means, that the filesystem daemon
+ is able to record the exact filesystem operations
+ performed, and can also control the behavior of the
+ requester process in otherwise impossible ways. For
+ example it can delay the operation for arbitrary length of
+ time allowing DoS against the requester.
+
+ For this reason only those processes can call into the
+ filesystem, for which the owner of the mount has ptrace
+ privilege. This excludes processes started by other users,
+ suid or sgid processes. */
+ if (task->euid == fc->user_id &&
+ task->suid == fc->user_id &&
+ task->uid == fc->user_id &&
+ task->egid == fc->group_id &&
+ task->sgid == fc->group_id &&
+ task->gid == fc->group_id)
+ return 1;
+
+ return 0;
+}
+
static int fuse_revalidate(struct dentry *entry)
{
struct inode *inode = entry->d_inode;
struct fuse_inode *fi = get_fuse_inode(inode);
struct fuse_conn *fc = get_fuse_conn(inode);
- if (get_node_id(inode) == FUSE_ROOT_ID) {
- if (!(fc->flags & FUSE_ALLOW_OTHER) &&
- current->fsuid != fc->user_id)
- return -EACCES;
- } else if (time_before_eq(jiffies, fi->i_time))
+ if (!fuse_allow_task(fc, current))
+ return -EACCES;
+ if (get_node_id(inode) != FUSE_ROOT_ID &&
+ time_before_eq(jiffies, fi->i_time))
return 0;
return fuse_do_getattr(inode);
{
struct fuse_conn *fc = get_fuse_conn(inode);
- if (!(fc->flags & FUSE_ALLOW_OTHER) && current->fsuid != fc->user_id)
+ if (!fuse_allow_task(fc, current))
return -EACCES;
else if (fc->flags & FUSE_DEFAULT_PERMISSIONS) {
#ifdef KERNEL_2_6_10_PLUS
int err = fuse_lookup_iget(dir, entry, &inode);
if (err)
return ERR_PTR(err);
+ if (inode && S_ISDIR(inode->i_mode)) {
+ /* Don't allow creating an alias to a directory */
+ struct dentry *alias = d_find_alias(inode);
+ if (alias && !(alias->d_flags & DCACHE_DISCONNECTED)) {
+ dput(alias);
+ iput(inode);
+ return ERR_PTR(-EIO);
+ }
+ }
return d_splice_alias(inode, entry);
}
#else /* KERNEL_2_6 */
/** The user id for this mount */
uid_t user_id;
+ /** The group id for this mount */
+ gid_t group_id;
+
/** The fuse mount flags for this mount */
unsigned flags;
int fd;
unsigned rootmode;
unsigned user_id;
+ unsigned group_id;
unsigned flags;
unsigned max_read;
};
spin_lock(&fuse_lock);
fc->mounted = 0;
fc->user_id = 0;
+ fc->group_id = 0;
fc->flags = 0;
/* Flush all readers on this fs */
wake_up_all(&fc->waitq);
OPT_FD,
OPT_ROOTMODE,
OPT_USER_ID,
+ OPT_GROUP_ID,
OPT_DEFAULT_PERMISSIONS,
OPT_ALLOW_OTHER,
OPT_KERNEL_CACHE,
{OPT_FD, "fd=%u"},
{OPT_ROOTMODE, "rootmode=%o"},
{OPT_USER_ID, "user_id=%u"},
+ {OPT_GROUP_ID, "group_id=%u"},
{OPT_DEFAULT_PERMISSIONS, "default_permissions"},
{OPT_ALLOW_OTHER, "allow_other"},
{OPT_KERNEL_CACHE, "kernel_cache"},
d->user_id = value;
break;
+ case OPT_GROUP_ID:
+ if (match_int(&args[0], &value))
+ return 0;
+ d->group_id = value;
+ break;
+
case OPT_DEFAULT_PERMISSIONS:
d->flags |= FUSE_DEFAULT_PERMISSIONS;
break;
struct fuse_conn *fc = get_fuse_conn_super(mnt->mnt_sb);
seq_printf(m, ",user_id=%u", fc->user_id);
+ seq_printf(m, ",group_id=%u", fc->group_id);
if (fc->flags & FUSE_DEFAULT_PERMISSIONS)
seq_puts(m, ",default_permissions");
if (fc->flags & FUSE_ALLOW_OTHER)
fc->flags = d.flags;
fc->user_id = d.user_id;
+ fc->group_id = d.group_id;
fc->max_read = d.max_read;
#ifdef KERNEL_2_6
if (fc->max_read / PAGE_CACHE_SIZE < fc->bdi.ra_pages)
char *d;
char *fsname = NULL;
- optbuf = malloc(strlen(opts) + 64);
+ optbuf = malloc(strlen(opts) + 128);
if (!optbuf) {
fprintf(stderr, "%s: failed to allocate memory\n", progname);
return -1;
fsname[len - fsname_str_len] = '\0';
} else if (!begins_with(s, "fd=") &&
!begins_with(s, "rootmode=") &&
- !begins_with(s, "user_id=")) {
+ !begins_with(s, "user_id=") &&
+ !begins_with(s, "group_id=")) {
int on;
int flag;
int skip_option = 0;
free(optbuf);
return -1;
}
- sprintf(d, "fd=%i,rootmode=%o,user_id=%i", fd, rootmode, getuid());
+ sprintf(d, "fd=%i,rootmode=%o,user_id=%i,group_id=%i",
+ fd, rootmode, getuid(), getgid());
if (fsname == NULL) {
fsname = strdup(dev);
if (!fsname) {
projects / qemu-gpiodev / libfuse.git / commitdiff