early-gdm redux ( I am sorry my way is better faster... for a desktop )

Alexander Larsson alexl at redhat.com
Tue Sep 18 08:35:44 UTC 2007


On Fri, 2007-09-14 at 10:56 +0200, Thorsten Leemhuis wrote:
> On 14.09.2007 10:17, Alexander Larsson wrote:
> >> That's a fuse plugin correct?  Uhm... fuse doesn't work out of the box
> >> in Fedora currently. I _think_ we still ship fuse in such a way that
> >> you have to manually take some action add users to the fuse group for
> >> users that get to use fuse.
> > Yes we do. And this is totally stupid and will cause pain in the future
> > when all sorts of features (like gvfs) start using fuse. I have no idea
> > why this was done, but it has to be fixed.
> 
> Thx for your kind words to your fellow Fedora developers, much
> appreciated ;-) (¹)
> 
> I decided that -- but not alone. In fact IIRC I was urged by lots of
> high-rank-Fedora-developers (including jeremy and someone from the
> security team IIRC) to *not* ship fuse as a suid-binary for everyone, as
> back then (in the early days when fuse hit the kernel) it was highly
> unclear if the fuse userspace tools were safe enough.
> 
> If that has changed: sure, let's get rid of this extra burden with
> adding the user to a special group. But that's up to the current
> maintainer.

If its not safe then wouldn't a better solution be to fix it or not
ship/install it. 

Making every user have to be added to the fuse group means:

1) Its not useable by default, meaning extra work for all users, and
   features mystically not working before some magic sysadmin
   incantation. 
   (We could make it "easy" to detect this and add users to this group,
    but then again, why have the group?)

2) When important things in the desktop start requiring fuse everyone
   will be in the fuse group anyway, meaning any security is lost.
   (One could say this only happens on "desktop" machines, but if you
    don't trust fuse userspace on your server, just don't install it
    there.)

I agree that stupid was a bad word, and I don't mean to flame anyone in
particular. I just think that this decision has no real value
security-wise, and it will be quite negative when things actually start
using fuse. Perhaps it was the right choice early on in the life of
fuse, but i don't think it makes sense by now.





More information about the Fedora-desktop-list mailing list