[DTrace-devel] [PATCH 2/3] daemon: -o allow_other is useless, don't pass it in

Kris Van Hees kris.van.hees at oracle.com
Tue Nov 8 05:42:56 UTC 2022 

On Mon, Nov 07, 2022 at 10:09:21PM +0000, Nick Alcock via DTrace-devel wrote:
> The -o allow_other option to FUSE informs the kernel's FUSE-mounting API
> that files on a given filesystem can be written to by users other than
> the one running the daemon that mounted it.  Without this, not even root
> can access it.
> 
> This serves to reduce the likelihood that users can attack each other
> via badly-secured FUSE filesystems.
> 
> Back when I was struggling to get CUSE to work, I added this to the
> argv options string passed to cuse_lowlevel_setup().  I never checked
> after I got things working to see if it was actually needed, and it
> turns out that since CUSE never mounts anything (it only creates a
> device) and since CUSE bypasses the parts of FUSE that check whether
> users are allowed to write to devices (relying instead on good old
> permissions checking), the option is useless and ignored.
> 
> This has actually got less strict over time: libfuse 2 actually rejects
> it and refuses to initialize.  So drop it entirely.
> 
> Signed-off-by: Nick Alcock <nick.alcock at oracle.com>

Reviewed-by: Kris Van Hees <kris.van.hees at oracle.com>

> ---
>  dtprobed/dtprobed.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/dtprobed/dtprobed.c b/dtprobed/dtprobed.c
> index 3d1b97514442..b76bc213e650 100644
> --- a/dtprobed/dtprobed.c
> +++ b/dtprobed/dtprobed.c
> @@ -560,8 +560,8 @@ main(int argc, char *argv[])
>  	 * These are "command-line" arguments to FUSE itself: our args are
>  	 * different.  The double-NULL allows us to add an arg.
>  	 */
> -	char *fuse_argv[] = { argv[0], "-f", "-s", "-o", "allow_other", NULL, NULL };
> -	int fuse_argc = 5;
> +	char *fuse_argv[] = { argv[0], "-f", "-s", NULL, NULL };
> +	int fuse_argc = 3;
>  
>  	while ((opt = getopt(argc, argv, "Fdn:t:")) != -1) {
>  		switch (opt) {
> -- 
> 2.35.1
> 
> 
> _______________________________________________
> DTrace-devel mailing list
> DTrace-devel at oss.oracle.com
> https://oss.oracle.com/mailman/listinfo/dtrace-devel

More information about the DTrace-devel mailing list