| Age | Commit message (Collapse) | Author | Lines | 
|---|
|  | Addresses issue https://github.com/libfuse/libfuse/issues/982 | 
|  | x_mnt_opts was not initialized to 0, but strncat was done
Spotted by cppcheck running on our ddn branch. | 
|  | Client code might allocate a lot of memory before starting the mount.
Fork is slow for processes that are using a lot of memory.  But
posix_spawn fixes that.
Another issue with fork is if the process is also doing RDMA - this
might lead to data corruption, as least if memory used for RDMA
is not marked with MADV_DONTFORK.  At least with linux kernels
before 5.12.
Also see https://blog.nelhage.com/post/a-cursed-bug/ for more details
Change by Bernd:
This also prepares the new fusermount option "--comm-fd", but keeps
the previous way to pass the parameter as env variable. In a future
release (exact data to be determined) we are going to remove usage
of the env variable and will switch to the new parameter. | 
|  | Commit 74b1df2e introduced a heap-buffer-overflow, as
allocated memory was not initialized and extract_x_options
was also not checking for the remaining buffer size.
Fix is to initialize the buffer and to also not exceed the buffer
size. Actually not exceeding buffer size is rather complex with C
and introduced quite some code changes.
Also fixed is a memory leak of allocated buffers in the commit
mentioned above. | 
|  | This implements #651, tested with bindfs.
"x-*" options are comments meant to be interpreted by userspace.
#651 is about some 3rd party mount options like 'x-gvfs-notrash'.
This also removes the test if /etc/mtab is a symlink.
This test was added in commit 5f28cd15ab43c741f6d116be4d3a9aa5d82ab385
and the corresponding ChangeLog entry in this commit points to mount
issues for read-only mtab.
However, in all recent Linux distributions /etc/mtab is a symlink to
/proc/self/mounts and never writable. In fact, util-linux 2.39
(libmount) entirely removed support for a writable mtab.
At least since util-linux 2.19 (10-Feb-2011) /run/mount/utab is used
as replacement for userspace mount entries.. | 
|  | With Linux Kernel 5.15 new ntfs kernel driver NTFS3 was included. It must be whitelisted as a permitted mount target. | 
|  |  | 
|  | This is just to [keep address sanitizer happy](https://github.com/libfuse/libfuse/actions/runs/4730520764/jobs/8394347666?pr=784).  The OS would normally clean this up anyway.
Co-authored-by: Nikolaus Rath <Nikolaus@rath.org> | 
|  | * Fuse mount: make auto_unmount compatible with suid/dev mount options
> When you run as root, fuse normally does not call fusermount but uses
> the mount system call directly. When you specify auto_unmount, it goes
> through fusermount instead. However, fusermount is a setuid binary that
> is normally called by regular users, so it cannot in general accept suid
> or dev options.
In this patch, we split up how fuse mounts as root when `auto_unmount`
is specified.
First, we mount using system calls directly, then we reach out to
fusermount to set up auto_unmount only (with no actual mounting done in
fusermount).
Fixes: #148 | 
|  | Mostly for consistency with mount(8).
Co-authored-by: Nikolaus Rath <Nikolaus@rath.org> | 
|  | as well as <sys/mount.h> inclusion to new fuse_mount_compat.h file.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> | 
|  | Fixes https://github.com/libfuse/libfuse/issues/634 and https://github.com/mpartel/bindfs/issues/106 | 
|  |  | 
|  |  | 
|  | In
https://github.com/libfuse/libfuse/blob/77d662459a0fcdf358d515477d33795837e859d5/util/fusermount.c#L1219
`open` is executed as root which does not have access to the mount
point if `allow_other` was not used and the real user id is not 0. Since
`allow_other` usually cannot be specified by unprivileged users,
`auto_unmount` has no effect for unprivileged users.
In this commit, we work around this limitation:
We first try to open the mountpoint as root, and if we get `EACCES`, we
retry as the user who started fusermount, and see if we get `ENOTCONN`.
In my testing, I found that `setfsuid` and `setfsgid` don't work to get
around the lack of `allow_other`.  (Sorry, I don't know enough about the
Linux kernel to tell whether that's significant.)  As a workaround, I
decided to use `setresuid` and `setresgid` in a forked child process,
and communicate via its exit status.
Please give feedback on correctness, style and suggest tests.
Fixes https://github.com/libfuse/libfuse/issues/586 | 
|  | Previous patch had forgotten fusermount. And also had "lazyatime"
instead of "lazytime". | 
|  | This addresses: https://github.com/libfuse/libfuse/issues/724
HAVE_LIBC_VERSIONED_SYMBOLS configures the library if to use
versioned symbols and is set at meson configuration time.
External filesystems (the main target, actually)
include fuse headers and the preprocessor
then acts on HAVE_LIBC_VERSIONED_SYMBOLS. Problem was now that
'config.h' was not distributed with libfuse and so
HAVE_LIBC_VERSIONED_SYMBOLS was never defined with external
tools and the preprocessor did the wrong decision.
This commit also increases the the minimal meson version,
as this depends on meson feature only available in 0.50
<quote 'meson' >
WARNING: Project specifies a minimum meson_
version '>= 0.42' but uses features which were added
 in newer versions:
 * 0.50.0: {'install arg in configure_file'}
</quote>
Additionally the config file has been renamed to "fuse_config.h"
to avoid clashes - 'config.h' is not very specific. | 
|  | Commit 0bef21e8543d removed "-o nonempty" since mounting over
non-empty directories is always allowed. But this broke tools which
specify "-o nonempty". Since the expected behaviour is the same
anyway, ignoring the "nonempty" option seems safe, and allows programs
specifying "-o nonempty" to continue working with fusermount3.
This would fix https://bugs.debian.org/939767
Signed-off-by: Stephen Kitt <steve@sk2.org> | 
|  | It is perfectly legal to execute a program with argc == 0 and therefore
no argv.
fusermount needs to check for this case, otherwise it will pass a NULL
poiunter to strdup() and cause undefined behavior.
Especially since fusermount is setuid root, we need to extra be careful.
Signed-off-by: Richard Weinberger <richard@nod.at> | 
|  | UMOUNT_NOFOLLOW was added in Kernel 2.6.34. It's been 10 years since it's been added
Kernel 5.9, and 5.10 break this check mechanism[1]. Let's deprecate it.
[1]: https://lore.kernel.org/linux-fsdevel/20201223102604.2078-1-sargun@sargun.me/
Signed-off-by: Sargun Dhillon <sargun@sargun.me> | 
|  |  | 
|  |  | 
|  | IN a bunch of comments we say 'under the terms of the GNU GPL', make
it clear this is GPLv2 (as LICENSE says).
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> | 
|  |  | 
|  | chdir_to_parent and check_is_mount are used by should_auto_mount, added
in fuse-3.3.0, regardless of whether IGNORE_MTAB is defined. | 
|  | See also https://bugzilla.redhat.com/1694552#c7
Signed-off-by: Peter Lemenkov <lemenkov@gmail.com> | 
|  |  | 
|  | This isn't a system header.
Fixes: #349 | 
|  | cd to mountpoint's parent directory using unprivileged rather than 
privileged access. This is to ensure that unmount works on mountpoints
where root may not have privileged access.
Fixes: #376 | 
|  | Fixes: #336. | 
|  | If a fuse filesystem was mounted in auto_unmount mode on top of an
already mounted filesystem, we would end up doing a double-unmount
when the fuse filesystem was unmounted properly.
Make the auto_unmount code less eager: unmount only if the mounted
filesystem has proper type and is returning 'Transport endpoint not
connected'. | 
|  | Fixes: #304 
Signed-off-by: Valentin Plugaru <valentin.plugaru@uni.lu> | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  | Before:
$ _FUSE_COMMFD=1 priv_strace -s8000 -e trace=mount util/fusermount3 /proc/self/fd
mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "fd=3,rootmode=40000,user_id=379777,group_id=5001") = 0
sending file descriptor: Socket operation on non-socket
+++ exited with 1 +++
After:
$ _FUSE_COMMFD=1 priv_strace -s8000 -e trace=mount util/fusermount3 /proc/self/fd
util/fusermount3: mounting over filesystem type 0x009fa0 is forbidden
+++ exited with 1 +++
This patch could potentially have security
impact on some systems that are configured with allow_other;
see https://launchpad.net/bugs/1530566 for an example of how a similar
issue in the ecryptfs mount helper was exploitable. However, the FUSE
mount helper performs slightly different security checks, so that exact
attack doesn't work with fusermount; I don't know of any specific attack
you could perform using this, apart from faking the SELinux context of your
process when someone's looking at a process listing. Potential targets for
overwrite are (looking on a system with a 4.9 kernel):
writable only for the current process:
/proc/self/{fd,map_files}
(Yes, "ls -l" claims that you don't have write access, but that's not true;
"find -writable" will show you what access you really have.)
writable also for other owned processes:
/proc/$pid/{sched,autogroup,comm,mem,clear_refs,attr/*,oom_adj,
oom_score_adj,loginuid,coredump_filter,uid_map,gid_map,projid_map,
setgroups,timerslack_ns} | 
|  | Blacklists are notoriously fragile; especially if the kernel wishes to add
some security-critical mount option at a later date, all existing systems
with older versions of fusermount installed will suddenly have a security
problem.
Additionally, if the kernel's option parsing became a tiny bit laxer, the
blacklist could probably be bypassed.
Whitelist known-harmless flags instead, even if it's slightly more
inconvenient. | 
|  | If an attacker wishes to use the default configuration instead of the
system's actual configuration, they can attempt to trigger a failure in
read_conf(). This only permits increasing mount_max if it is lower than the
default, so it's not particularly interesting. Still, this should probably
be prevented robustly; bail out if funny stuff happens when we're trying to
read the config.
Note that the classic attack trick of opening so many files that the
system-wide limit is reached won't work here - because fusermount only
drops the fsuid, not the euid, the process is running with euid=0 and
CAP_SYS_ADMIN, so it bypasses the number-of-globally-open-files check in
get_empty_filp() (unless you're inside a user namespace). | 
|  | The old code permits the following behavior:
$ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount
mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument)
However, backslashes do not have any special meaning for the kernel here.
As it happens, you can't abuse this because there is no FUSE mount option
that takes a string value that can contain backslashes; but this is very
brittle. Don't interpret "escape characters" in places where they don't
work. | 
|  | Currently, in the kernel, copy_mount_options() copies in one page of
userspace memory (or less if some of that memory area is not mapped).
do_mount() then writes a null byte to the last byte of the copied page.
This means that mount option strings longer than PAGE_SIZE-1 bytes get
truncated silently.
Therefore, this can happen:
user@d9-ut:~$ _FUSE_COMMFD=10000 fusermount -o "$(perl -e 'print ","x4000')" mount
sending file descriptor: Bad file descriptor
user@d9-ut:~$ grep /mount /proc/mounts
/dev/fuse /home/user/mount fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=1000 0 0
user@d9-ut:~$ fusermount -u mount
user@d9-ut:~$ _FUSE_COMMFD=10000 fusermount -o "$(perl -e 'print ","x4050')" mount
sending file descriptor: Bad file descriptor
user@d9-ut:~$ grep /mount /proc/mounts
/dev/fuse /home/user/mount fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=100 0 0
user@d9-ut:~$ fusermount -u mount
user@d9-ut:~$ _FUSE_COMMFD=10000 fusermount -o "$(perl -e 'print ","x4051')" mount
sending file descriptor: Bad file descriptor
user@d9-ut:~$ grep /mount /proc/mounts
/dev/fuse /home/user/mount fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=10 0 0
user@d9-ut:~$ fusermount -u mount
user@d9-ut:~$ _FUSE_COMMFD=10000 fusermount -o "$(perl -e 'print ","x4052')" mount
sending file descriptor: Bad file descriptor
user@d9-ut:~$ grep /mount /proc/mounts
/dev/fuse /home/user/mount fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=1 0 0
user@d9-ut:~$ fusermount -u mount
I'm not aware of any context in which this is actually exploitable - you'd
still need the UIDs to fit, and you can't do it if the three GIDs of the
process don't match (in the case of a typical setgid binary), but it does
look like something that should be fixed.
I also plan to try to get this fixed on the kernel side. | 
|  | Silence below warnings which appear if IGNORE_MTAB is defined.
[59/64] Compiling C object 'util/fusermount3@exe/fusermount.c.o'.
../util/fusermount.c:493:12: warning: function declaration isn't a prototype [-Wstrict-prototypes]
 static int count_fuse_fs()
            ^~~~~~~~~~~~~
../util/fusermount.c: In function 'unmount_fuse':
../util/fusermount.c:508:46: warning: unused parameter 'quiet' [-Wunused-parameter]
 static int unmount_fuse(const char *mnt, int quiet, int lazy)
                                              ^~~~~ | 
|  |  | 
|  |  | 
|  |  | 
|  | This brings the default behavior in-line with that of the
regular `mount` command. | 
|  | ...options.  Uids/gids larger than 2147483647 would result in EINVAL when
mounting the filesystem.  This also needs a fix in the kernel. | 
|  |  |