[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: fuse (Was Re: early-gdm redux)



On Tue, 2007-09-18 at 10:35 +0200, Alexander Larsson wrote:
> On Fri, 2007-09-14 at 10:56 +0200, Thorsten Leemhuis wrote:
> > On 14.09.2007 10:17, Alexander Larsson wrote:
> > >> That's a fuse plugin correct?  Uhm... fuse doesn't work out of the box
> > >> in Fedora currently. I _think_ we still ship fuse in such a way that
> > >> you have to manually take some action add users to the fuse group for
> > >> users that get to use fuse.
> > > Yes we do. And this is totally stupid and will cause pain in the future
> > > when all sorts of features (like gvfs) start using fuse. I have no idea
> > > why this was done, but it has to be fixed.
> > 
> > Thx for your kind words to your fellow Fedora developers, much
> > appreciated ;-) (ยน)
> > 
> > I decided that -- but not alone. In fact IIRC I was urged by lots of
> > high-rank-Fedora-developers (including jeremy and someone from the
> > security team IIRC) to *not* ship fuse as a suid-binary for everyone, as
> > back then (in the early days when fuse hit the kernel) it was highly
> > unclear if the fuse userspace tools were safe enough.
> > 
> > If that has changed: sure, let's get rid of this extra burden with
> > adding the user to a special group. But that's up to the current
> > maintainer.
> 
> If its not safe then wouldn't a better solution be to fix it or not
> ship/install it. 

Making sure that things are safe is definitely the right thing to do.
suid but only group executable is purely a "start to get it in while not
making things less secure by default"

> I agree that stupid was a bad word, and I don't mean to flame anyone in
> particular. I just think that this decision has no real value
> security-wise, and it will be quite negative when things actually start
> using fuse. Perhaps it was the right choice early on in the life of
> fuse, but i don't think it makes sense by now.

It was nothing more than a "someone needs to sit down and really audit
fuse".  And probably ensuring that we have reasonable SELinux policy
around it as well.  If someone is willing to do that so that we can feel
comfortable making fuse available suid and that we're not then opening
up various holes on the system, then let's do it.

But until someone actually does that audit, it seems a bit premature and
risky to actually have the fuse bits executable by everyone.

Jeremy


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]