| Message ID | 20210614144407.134243-1-mreitz@redhat.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | export/fuse: Allow other users access to the export | expand |
Am 14.06.2021 um 16:44 hat Max Reitz geschrieben: > Hi, > > With the default mount options, FUSE mounts are not accessible to any > users but the one who did the mount, not even to root. To allow such > accesses, allow_other must be passed. > > This is probably useful to some people (it certainly is to me, e.g. when > exporting some image as my normal user, and then trying to loop mount it > as root), so this series adds a QAPI allow-other bool that will make the > FUSE export code pass allow_other,default_permissions to FUSE. > > (default_permissions will make the kernel do the usual UNIX permission > checks, which is something that makes a lot of sense when allowing other > users access to the export.) > > This also requires our SETATTR code to be able to handle permission > changes, though, so the user can then run chmod/chown/chgrp on the > export to adjust its permissions to their need. > > The final patch adds a test. If there is even a use case for leaving the option off (not trusting root?), it must certainly be the less common case? So I'm not sure if allow-other should be an option at all, but if it is, enabling it by default would make more sense to me. Is there a reason why you picked false as the default, except that it is the old behaviour? Kevin
On 21.06.21 18:12, Kevin Wolf wrote: > Am 14.06.2021 um 16:44 hat Max Reitz geschrieben: >> Hi, >> >> With the default mount options, FUSE mounts are not accessible to any >> users but the one who did the mount, not even to root. To allow such >> accesses, allow_other must be passed. >> >> This is probably useful to some people (it certainly is to me, e.g. when >> exporting some image as my normal user, and then trying to loop mount it >> as root), so this series adds a QAPI allow-other bool that will make the >> FUSE export code pass allow_other,default_permissions to FUSE. >> >> (default_permissions will make the kernel do the usual UNIX permission >> checks, which is something that makes a lot of sense when allowing other >> users access to the export.) >> >> This also requires our SETATTR code to be able to handle permission >> changes, though, so the user can then run chmod/chown/chgrp on the >> export to adjust its permissions to their need. >> >> The final patch adds a test. > If there is even a use case for leaving the option off (not trusting > root?), it must certainly be the less common case? So I'm not sure if > allow-other should be an option at all, but if it is, enabling it by > default would make more sense to me. > > Is there a reason why you picked false as the default, except that it is > the old behaviour? No. :) Well, mostly. I also thought, if FUSE thinks allow_other shouldn’t be the default, who am I to decide otherwise. Now that I tried to find out why FUSE has it as the default (I only remember vague “security reasons”), I still couldn’t find out why, but I did find that using this option as non-root user requires /etc/fuse.conf to have user_allow_other in it, which I don’t think we can require. So I think it must be an option. As for which value should be the default, that probably depends on how common having user_allow_other in /etc/fuse.conf is. I know I never put it there, and it’s both on my Fedora and my Arch system. So I guess it seems rather common? Max