aboutsummaryrefslogtreecommitdiffstats
path: root/util
AgeCommit message (Collapse)AuthorLines
2023-03-28Review feedback: rename and commentsMatthias Goergens-3/+9
2023-03-28Fix `auto_unmount` to work without `allow_other`Matthias Goergens-1/+46
In https://github.com/libfuse/libfuse/blob/77d662459a0fcdf358d515477d33795837e859d5/util/fusermount.c#L1219 `open` is executed as root which does not have access to the mount point if `allow_other` was not used and the real user id is not 0. Since `allow_other` usually cannot be specified by unprivileged users, `auto_unmount` has no effect for unprivileged users. In this commit, we work around this limitation: We first try to open the mountpoint as root, and if we get `EACCES`, we retry as the user who started fusermount, and see if we get `ENOTCONN`. In my testing, I found that `setfsuid` and `setfsgid` don't work to get around the lack of `allow_other`. (Sorry, I don't know enough about the Linux kernel to tell whether that's significant.) As a workaround, I decided to use `setresuid` and `setresgid` in a forked child process, and communicate via its exit status. Please give feedback on correctness, style and suggest tests. Fixes https://github.com/libfuse/libfuse/issues/586
2023-03-20Add more time mount options to fusermount / fix lazytimeBernd Schubert-0/+8
Previous patch had forgotten fusermount. And also had "lazyatime" instead of "lazytime".
2023-01-28Install a the configure_file (config.h) and use in headersBernd Schubert-2/+2
This addresses: https://github.com/libfuse/libfuse/issues/724 HAVE_LIBC_VERSIONED_SYMBOLS configures the library if to use versioned symbols and is set at meson configuration time. External filesystems (the main target, actually) include fuse headers and the preprocessor then acts on HAVE_LIBC_VERSIONED_SYMBOLS. Problem was now that 'config.h' was not distributed with libfuse and so HAVE_LIBC_VERSIONED_SYMBOLS was never defined with external tools and the preprocessor did the wrong decision. This commit also increases the the minimal meson version, as this depends on meson feature only available in 0.50 <quote 'meson' > WARNING: Project specifies a minimum meson_ version '>= 0.42' but uses features which were added in newer versions: * 0.50.0: {'install arg in configure_file'} </quote> Additionally the config file has been renamed to "fuse_config.h" to avoid clashes - 'config.h' is not very specific.
2022-09-08Add option to specify init script locationFina Wilke-13/+12
Also allows to disable the installation if desired
2022-09-04API update for fuse_loop_config additionsBernd Schubert-1/+1
struct fuse_loop_config was passed as a plain struct, without any version identifer. This had two implications 1) Any addition of new parameters required a FUSE_SYMVER for fuse_session_loop_mt() and fuse_loop_mt() as otherwise a read beyond end-of previous struct size might have happened. 2) Filesystems also might have been recompiled and the developer might not have noticed the struct extensions and unexpected for the developer (or people recomliling the code) uninitialized parameters would have been passed. Code is updated to have struct fuse_loop_config as an opaque/private data type for file systems that want version 312 (FUSE_MAKE_VERSION(3, 12)). The deprecated fuse_loop_config_v1 is visible, but should not be used outside of internal conversion functions File systems that want version >= 32 < 312 get the previous struct (through ifdefs) and the #define of fuse_loop_mt and fuse_session_loop_mt ensures that these recompiled file systems call into the previous API, which then converts the struct. This is similar to existing compiled applications when just libfuse updated, but binaries it is solved with the FUSE_SYMVER ABI compact declarations. Signed-off-by: Bernd Schubert <bschubert@ddn.com>
2022-07-02Revert "Increase meson min version and avoid get_pkgconfig_variable warning ↵Nikolaus Rath-1/+1
(#682)" This reverts commit 8db2ba06fef10f38f90b0f3213dd39ec07678e2f. This Meson version is not yet generally available, so we do not want to depend on it..
2022-06-20Increase meson min version and avoid get_pkgconfig_variable warning (#682)Bernd Schubert-1/+1
meson was complaining: Build targets in project: 27 NOTICE: Future-deprecated features used: * 0.56.0: {'Dependency.get_pkgconfig_variable'} So change to .get_variable(pkgconfig : 'type' and also increase the meson minimal version to be able to handle it. Co-authored-by: Bernd Schubert <bschubert@ddn.com>
2021-09-06Fix: fd and memory leak in mount.fuse.c (#614)lixiaokeng-1/+6
The command isn't freed and the fuse_fd isn't closed if execl failed. Fix it. Signed-off-by: Lixiaokeng <lixiaokeng@huawei.com>
2021-08-25use same hashbang as in rest of repositorya1346054-1/+1
2021-01-28Ignore "-o nonempty" (#582)Stephen Kitt-1/+2
Commit 0bef21e8543d removed "-o nonempty" since mounting over non-empty directories is always allowed. But this broke tools which specify "-o nonempty". Since the expected behaviour is the same anyway, ignoring the "nonempty" option seems safe, and allows programs specifying "-o nonempty" to continue working with fusermount3. This would fix https://bugs.debian.org/939767 Signed-off-by: Stephen Kitt <steve@sk2.org>
2021-01-08fusermount: Check for argv[0] being present (#577)richardweinberger-1/+1
It is perfectly legal to execute a program with argc == 0 and therefore no argv. fusermount needs to check for this case, otherwise it will pass a NULL poiunter to strdup() and cause undefined behavior. Especially since fusermount is setuid root, we need to extra be careful. Signed-off-by: Richard Weinberger <richard@nod.at>
2020-12-27util/fusermount.c: Assume the kernel supports UMOUNT_NOFOLLOW (#574)Sargun Dhillon-23/+1
UMOUNT_NOFOLLOW was added in Kernel 2.6.34. It's been 10 years since it's been added Kernel 5.9, and 5.10 break this check mechanism[1]. Let's deprecate it. [1]: https://lore.kernel.org/linux-fsdevel/20201223102604.2078-1-sargun@sargun.me/ Signed-off-by: Sargun Dhillon <sargun@sargun.me>
2020-12-19Add exfat to whitelist (#573)Kangjing "Chaser" Huang-0/+1
2020-11-06mount.fuse.c: fix potential memory leak in main funcZhiqiang Liu-2/+11
In mount.fuse.c, there are several memory leak problems in main func. For example, setuid_name is allocated by calling xstrdup func, however it is not freed before calling execl func. Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com> Signed-off-by: Haotian Li <lihaotian9@huawei.com>
2020-11-06mount.fuse.c: fix potential accessing NULL pointerZhiqiang Liu-1/+1
In mount.fuse.c, pwd is set by calling getpwnam func. If the matching entry is not found or an error occurs in getpwnam func, pwd will be NULL. So we need to check whether pwd is NULL before accessing it. Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com> Signed-off-by: Haotian Li <lihaotian9@huawei.com>
2020-03-13Align help options (#500)Andrew Gaul-1/+1
2020-03-13State GPL version in comment (#485)Dr. David Alan Gilbert-2/+2
IN a bunch of comments we say 'under the terms of the GNU GPL', make it clear this is GPLv2 (as LICENSE says). Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2019-12-31Make ioctl prototype conditional on FUSE_USE_VERSION. (#482)Bill Zissimopoulos-1/+1
Define FUSE_USE_VERSION < 35 to get old ioctl prototype with int commands; define FUSE_USE_VERSION >= 35 to get new ioctl prototype with unsigned int commands. Fixes #463.
2019-09-15Whitelist UFSD (#451)tenzap-0/+1
2019-07-09Install init script in /etc/ instead of $sysconfdirNikolaus Rath-2/+2
sysconfdir defaults to /usr/local/etc which is almost always the wrong choice. Fixes: #427
2019-07-04Add build option to skip steps requiring root permissionsDrDaveD-7/+10
2019-06-15Fix build with IGNORE_MTAB (#425)Michael Forney-0/+2
chdir_to_parent and check_is_mount are used by should_auto_mount, added in fuse-3.3.0, regardless of whether IGNORE_MTAB is defined.
2019-05-05add defines for missing SECBITs on older kernels (#409)DrDaveD-0/+19
2019-04-03Whitelist smb2 (#392)Peter Lemenkov-4/+5
See also https://bugzilla.redhat.com/1694552#c7 Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
2019-03-09Add HFS+ to filesystem whitelist (#347)1c7718e7-0/+1
2019-03-09Correctly include config.h ("" vs <>)Nikolaus Rath-3/+3
This isn't a system header. Fixes: #349
2019-03-08fusermount: drop privileges for chdir()Sam Huffman-0/+2
cd to mountpoint's parent directory using unprivileged rather than privileged access. This is to ensure that unmount works on mountpoints where root may not have privileged access. Fixes: #376
2019-01-04Added OpenAFS to type whitelistNikolaus Rath-0/+1
Fixes: #336.
2018-11-19examples: add copy_file_range() support to passthrough(_fh)Niels de Vos-1/+1
The passthrough example filesystem can be used for validating the API and the implementation in the FUSE kernel module.
2018-11-06Avoid double unmount on normal unmount in auto_unmount mode.Kevin Vigor-11/+63
If a fuse filesystem was mounted in auto_unmount mode on top of an already mounted filesystem, we would end up doing a double-unmount when the fuse filesystem was unmounted properly. Make the auto_unmount code less eager: unmount only if the mounted filesystem has proper type and is returning 'Transport endpoint not connected'.
2018-10-19Add SpectrumScale/GPFS and Lustre to FS whitelistValentin Plugaru-0/+2
Fixes: #304 Signed-off-by: Valentin Plugaru <valentin.plugaru@uni.lu>
2018-10-09Add unprivileged option in `mount.fuse3`Mattias Nissler-17/+198
The unprivileged option allows to run the FUSE file system process without privileges by dropping capabilities and preventing them from being re-acquired via setuid / fscaps etc. To accomplish this, mount.fuse sets up the `/dev/fuse` file descriptor and mount itself and passes the file descriptor via the `/dev/fd/%u` mountpoint syntax to the FUSE file system.
2018-09-17Don't special-case bulid of mount_util.c.Nikolaus Rath-11/+1
We already support out of source builds without this.
2018-08-31Do not hardcode /etc/fuse.conf path.Nikolaus Rath-12/+29
2018-08-09Add bcachefs to mountpoint file system whitelistDaniel Fullmer-0/+1
2018-08-05Add FAT to mountpoint file system whitelistBenjamin Barenblat-0/+1
2018-08-05Realphabetize and re-document mountpoint file system whitelistBenjamin Barenblat-4/+6
2018-07-31Add autofs to mountpoint file system whitelistRobo Shimmer-0/+1
2018-07-23fusermount: Fix memory leaksRostislav Skudnov-0/+2
2018-07-18fusermount: whitelist known-good filesystems for mountpointsJann Horn-1/+49
Before: $ _FUSE_COMMFD=1 priv_strace -s8000 -e trace=mount util/fusermount3 /proc/self/fd mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "fd=3,rootmode=40000,user_id=379777,group_id=5001") = 0 sending file descriptor: Socket operation on non-socket +++ exited with 1 +++ After: $ _FUSE_COMMFD=1 priv_strace -s8000 -e trace=mount util/fusermount3 /proc/self/fd util/fusermount3: mounting over filesystem type 0x009fa0 is forbidden +++ exited with 1 +++ This patch could potentially have security impact on some systems that are configured with allow_other; see https://launchpad.net/bugs/1530566 for an example of how a similar issue in the ecryptfs mount helper was exploitable. However, the FUSE mount helper performs slightly different security checks, so that exact attack doesn't work with fusermount; I don't know of any specific attack you could perform using this, apart from faking the SELinux context of your process when someone's looking at a process listing. Potential targets for overwrite are (looking on a system with a 4.9 kernel): writable only for the current process: /proc/self/{fd,map_files} (Yes, "ls -l" claims that you don't have write access, but that's not true; "find -writable" will show you what access you really have.) writable also for other owned processes: /proc/$pid/{sched,autogroup,comm,mem,clear_refs,attr/*,oom_adj, oom_score_adj,loginuid,coredump_filter,uid_map,gid_map,projid_map, setgroups,timerslack_ns}
2018-07-18fusermount: refuse unknown optionsJann Horn-1/+7
Blacklists are notoriously fragile; especially if the kernel wishes to add some security-critical mount option at a later date, all existing systems with older versions of fusermount installed will suddenly have a security problem. Additionally, if the kernel's option parsing became a tiny bit laxer, the blacklist could probably be bypassed. Whitelist known-harmless flags instead, even if it's slightly more inconvenient.
2018-07-18fusermount: bail out on transient config read failureJann Horn-0/+9
If an attacker wishes to use the default configuration instead of the system's actual configuration, they can attempt to trigger a failure in read_conf(). This only permits increasing mount_max if it is lower than the default, so it's not particularly interesting. Still, this should probably be prevented robustly; bail out if funny stuff happens when we're trying to read the config. Note that the classic attack trick of opening so many files that the system-wide limit is reached won't work here - because fusermount only drops the fsuid, not the euid, the process is running with euid=0 and CAP_SYS_ADMIN, so it bypasses the number-of-globally-open-files check in get_empty_filp() (unless you're inside a user namespace).
2018-07-18fusermount: don't feed "escaped commas" into mount optionsJann Horn-1/+4
The old code permits the following behavior: $ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument) However, backslashes do not have any special meaning for the kernel here. As it happens, you can't abuse this because there is no FUSE mount option that takes a string value that can contain backslashes; but this is very brittle. Don't interpret "escape characters" in places where they don't work.
2018-07-18fusermount: prevent silent truncation of mount optionsJann Horn-3/+20
Currently, in the kernel, copy_mount_options() copies in one page of userspace memory (or less if some of that memory area is not mapped). do_mount() then writes a null byte to the last byte of the copied page. This means that mount option strings longer than PAGE_SIZE-1 bytes get truncated silently. Therefore, this can happen: user@d9-ut:~$ _FUSE_COMMFD=10000 fusermount -o "$(perl -e 'print ","x4000')" mount sending file descriptor: Bad file descriptor user@d9-ut:~$ grep /mount /proc/mounts /dev/fuse /home/user/mount fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=1000 0 0 user@d9-ut:~$ fusermount -u mount user@d9-ut:~$ _FUSE_COMMFD=10000 fusermount -o "$(perl -e 'print ","x4050')" mount sending file descriptor: Bad file descriptor user@d9-ut:~$ grep /mount /proc/mounts /dev/fuse /home/user/mount fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=100 0 0 user@d9-ut:~$ fusermount -u mount user@d9-ut:~$ _FUSE_COMMFD=10000 fusermount -o "$(perl -e 'print ","x4051')" mount sending file descriptor: Bad file descriptor user@d9-ut:~$ grep /mount /proc/mounts /dev/fuse /home/user/mount fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=10 0 0 user@d9-ut:~$ fusermount -u mount user@d9-ut:~$ _FUSE_COMMFD=10000 fusermount -o "$(perl -e 'print ","x4052')" mount sending file descriptor: Bad file descriptor user@d9-ut:~$ grep /mount /proc/mounts /dev/fuse /home/user/mount fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=1 0 0 user@d9-ut:~$ fusermount -u mount I'm not aware of any context in which this is actually exploitable - you'd still need the UIDs to fit, and you can't do it if the three GIDs of the process don't match (in the case of a typical setgid binary), but it does look like something that should be fixed. I also plan to try to get this fixed on the kernel side.
2018-07-04Source LSB init functionsLaszlo Boszormenyi (GCS)-0/+3
2018-05-11add_arg(): check for overflowNikolaus Rath-0/+5
Fixes: #222.
2018-05-08Fix compile-time warnings on IGNORE_MTABTomohiro Kusumi-1/+2
Silence below warnings which appear if IGNORE_MTAB is defined. [59/64] Compiling C object 'util/fusermount3@exe/fusermount.c.o'. ../util/fusermount.c:493:12: warning: function declaration isn't a prototype [-Wstrict-prototypes] static int count_fuse_fs() ^~~~~~~~~~~~~ ../util/fusermount.c: In function 'unmount_fuse': ../util/fusermount.c:508:46: warning: unused parameter 'quiet' [-Wunused-parameter] static int unmount_fuse(const char *mnt, int quiet, int lazy) ^~~~~
2018-03-28Add example configuration file (#216)admorgan-0/+20
Add a configuration file with all options disabled that includes all valid options and their description.
2017-12-01Handle mount ... -o nofail (#221)Josh Soref-0/+1
Accept (and ignore) nofail mount option