Without default_permissions, cached permissions are only checked on first access
#15
Comments
|
Would this fix http://sourceforge.net/p/fuse/mailman/message/34801725/ too. Because the attr-timeout has nothing to do with the issue reported (the entry timeout has to be > 0). By standard permissions do you mean default permissions turned off ? |
|
Hi, Satya G S wrote:
I do not fully understand what you mean (what has When the kernel needs to dig into a directory on Your results show this is not yet the case. attr-timeout (I mean the last argument of fuse_reply_attr()) On Linux, ntfs-3g usually uses default_permissions (yes, [linux@dimension linux]$ ./try.sh On OpenIndiana (same fuse library), ntfs-3g can use Note : the proper behavior of permissions is checked by Regards Jean-Pierre |
|
ls -l seems to working fine (doesn't display children attributes) if default permissions is turned on. When default permissions is turned off and entry timeout is > 0 ls -l display the children attributes for the duration of entry timeout which is a bug. Thanks, |
|
Hum, yes you are right. The issue occurs with default_permissions not enabled, and with permissions checked by the user-level file system. I have recompiled ntfs-3g with a timeout of 10 seconds (both attr and entry timeouts), and executed as root the following script : Note that this script never changes the permissions on the directory "trydir". The expected output is : The error on last line is caused by the user ("linux") not being allowed to list "trydir". And trydir could be listed... Also note the user-level file system has no opportunity to invalidate an entry. There is no action triggering a change. I have replayed the shell script shown in the original post, and I can confirm the bug is still present, but only when the option default_permissions is NOT used. for Nikolaus : maybe you can change the title to "The directory entries cached by fuse are not checked against the current user permissions" |
|
Sorry, I wanted to close the comment, ... not the issue. |
|
Jean, Thank you for confirming the behaviour. This issue hurts every filesystem that has support for ACLs. Setting the entry timeout to zero will result in too many up calls to filesystem. Isn't this a place to track library issues. This looks like a kernel bug to me. Thanks, |
|
I agree, not using the cache is inefficient because it implies making more calls to the user-level file system. The same goes for not using default_permissions. So I am not insisting on this bug to be fixed, I would rather call for default_permissions to support the same permission checks as ext2/3/4. I also call for the cache to support hard links, and this is specific to the high-level library interface, there is no problem with the low-level one. These are the two reasons why ntfs-3g gave up using the cache on Linux (except when using the low-level interface and not using the Posix ACLs). |
Nikratio
changed the title
Yes, when writing the kernel code there was probably an implicit assumption that allow_other" would not be used (or maybe it didn't exist at that point). With allow_other, this becomes a security bug.
You are right. I asked Jean-Pierre to file it here so that there's at least a permanent record (give that this was first reported on the kernel ml in 2006). |
|
I've added this to the README, see commit 43138fb |
|
Nikolaus Rath wrote:
I think this is not correct : in my first example and So my feeling is that there is no check at all. My text change proposal :
|
|
Thanks for re-checking. How do you like the version in commit 85f3ff4? |
|
Nikolaus Rath wrote:
Looks good to me. Jean-Pierre |
Nikratio
changed the title
default_permissions, cached permissions are only checked on first access
This patch solves a long standing bug. "([bug torvalds#15](libfuse/libfuse#15)): if the `default_permissions` mount option is not used, the results of the first permission check performed by the file system for a directory entry will be re-used for subsequent accesses as long as the inode of the accessed entry is present in the kernel cache - even if the permissions have since changed, and even if the subsequent access is made by a different user. This bug needs to be fixed in the Linux kernel and has been known since 2006 but unfortunately no fix has been applied yet. If you depend on correct permission handling for FUSE file systems, the only workaround is to use `default_permissions` (which does not currently support ACLs), or to completely disable caching of directory entry attributes. Alternatively, the severity of the bug can be somewhat reduced by not using the `allow_other` mount option." This patch introduce a callback which the user space implementation can use to invalidate the cached entries of a parent directory, for example when the execute permissions are revoked and force real lookup. Signed-off-by: Ashish Sangwan <ashishsangwan2@gmail.com>
|
gocryptfs developer here. I don't understand why this is declared a kernel bug (but on the other hand I can't click the gmane links because it has been shut down). Isn't just that the user-space filesystem fails to check the permissions on READDIR? (This is the opportunity to check the permissions, there is no need for an extra LOOKUP) |
|
@rfjakob : see my example try2.sh, there is no readdir at all (no wildcards). Creating "trydir/file" is just a create() in write-only directory "trydir" (which is allowed, though directory is unreadable). Later on, for executing "trydir/file", there is no lookup from "trydir", and the user space has no chance of checking whether "trydir" is readable. When "file" is opened, the user space does not know from which directory it is opened (a file may be referenced in several directories with different permissions). |
|
Ok, I think I get it. When there are multiple hard links of one file in different directories, user-space cannot decide which directory to check. It's quite a corner-case, but still. Note that the kernel knows about the user and this info is also passed to user-space in every request: Line 695 in d6d3e50 |
|
@rfjakob |
|
Well, user-space already knows which directory the file is in from the time
it served the LOOKUP.
|
|
I'm trying to compile under Windows using сygwin, but eventually do make-j8 command error occurs > ../include/fuse_kernel.h:759:41: error: expected expression before 'uint32_t' Please help deal with this problem, which is already just trying to build library, but this error does not allow it to make |
Fixes issue libfuse#15. --HG-- extra : rebase_source : 93f3297384cbeb267e6744bf3950086f5a23b38d extra : amend_source : 48751816f440353c633fff37e99bed52d339d01f extra : histedit_source : 4868081666a2fdc05537c6c01e694ce94e7bf80c%2Ce15d95112226542e5e6924877a0c2f45e8d54da6
|
Is this still a problem with the latest releases of libfuse and the Linux kernel? |
|
I have no information to the contrary, so I'd say yes, this has not been fixed yet. |
|
It would be great to at least get the docs/config/defaults into a non-confusing state, see the link directly above this comment. |
This patch makes it so we attempt to resolve a symbol as the non-obsolete commits in a change id if all other resolutions fail. This addresses issue libfuse#15. I decided to not require any operator for looking up by change id. I want to make it as easy as possible to use change ids instead of commit ids to see how well it works to interact mostly with change ids instead of commit ids (I'll try to test that by using it myself).
When the inodes are cached by fuse (non-zero attr_timeout), and the standard_permissions are used, the following sequence :
outputs :
The "chmod 000" should have led to an EACCES error for the subsequent commands.
This was reported in 2009 (http://article.gmane.org/gmane.comp.file-systems.fuse.devel/8099), and according to http://article.gmane.org/gmane.comp.file-systems.fuse.devel/15300 some work is still needed on it.
This means that for being Posix compliant, fuse file systems cannot either use the cache or have the permissions checked by the kernel.
The text was updated successfully, but these errors were encountered: