fedora-extras-list@redhat.com
[Top] [All Lists]

Fuse packages now with use fuse-group and suid binary (Was: RFC: fuse pa

Subject: Fuse packages now with use fuse-group and suid binary Was: RFC: fuse packages
From: Thorsten Leemhuis
Date: Fri, 04 Nov 2005 20:00:13 +0100
Am Donnerstag, den 03.11.2005, 10:36 -0500 schrieb Jeremy Katz:
> On Wed, 2005-11-02 at 21:10 +0100, Thorsten Leemhuis wrote:
> > Am Samstag, den 29.10.2005, 14:32 -0400 schrieb Jeremy Katz:
> > > Why does fusermount need to be suid? 
> > AFAICS we have three solutions:
> > 
> > 1) do it as upstream does (suid root)
> > 2) create a fusemount group -- only members of that group are allowed to
> > mount fuse-filesystems that are not in /etc/fstab
> > 3) only allow fuse for things listed in /etc/fstab
> > 
> > I tent to do 3) and can also live with 2) (if that's possible -- I
> > suppose it is but did not try yet). I don't like 1).
> 
> The more I think about it, the more I think that the third is really the
> only "reasonable" solution for now.

I did not get solution 3 to work correctly. So I chose solution 2 (this
is also the scheme that is used by debian afaics). See:

http://www.leemhuis.info/files/fedorarpms/SPECS.fdr/fuse.spec
http://www.leemhuis.info/files/fedorarpms/SRPMS.fdr/fuse-2.4.1-2.src.rpm

http://www.leemhuis.info/files/fedorarpms/SPECS.fdr/fuse-sshfs.spec
http://www.leemhuis.info/files/fedorarpms/SRPMS.fdr/fuse-sshfs-1.2-2.src.rpm

I'm going to submit this to bugzilla as review request at the beginning
of next week if no one complains loudly. (side note: rpmlint does not
like it very much:

$ rpmlint rpmbuild/RPMS/i386/fuse-2.4.1-2.i386.rpm
W: fuse non-conffile-in-etc /etc/udev/rules.d/40-fuse.rules
W: fuse non-conffile-in-etc /etc/makedev.d/z-fuse
E: fuse non-standard-gid /usr/bin/fusermount fuse
E: fuse setuid-binary /usr/bin/fusermount root 04754
E: fuse non-standard-executable-perm /usr/bin/fusermount 04754
W: fuse non-conffile-in-etc /etc/udev/makedev.d/40-fuse.nodes
)

The fuse kernel-module is in the latest rawhide kernel or in this one
for FC4:
http://people.redhat.com/davej/kernels/Fedora/FC4/RPMS.kernel/

It is not in the 2.6.14 kernel currently in updates-testing for FC4 --
but the above kernel or a newer one afaik should hit updates-testing
before 2.6.14 is shipped as official update.
-- 
Thorsten Leemhuis <fedora@xxxxxxxxxxxxx>

-- 
fedora-extras-list mailing list
fedora-extras-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-extras-list

<Prev in Thread] Current Thread [Next in Thread>