[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fuse-devel
Subject:    Re: [fuse-devel] cvs /bin/mount might not be there
From:       Csaba Henk <csaba-ml () creo ! hu>
Date:       2007-01-07 21:25:55
Message-ID: slrneq2p6e.28oj.csaba () beastie ! creo ! hu
[Download RAW message or body]

On 2007-01-01, Szakacsits Szabolcs <szaka@sienet.hu> wrote:
>> The user simply creates his own mount command, 
>
> He can't create programs which are owned by other/priviledged users. 
> Perhaps this fact could be used as a security measure.

FUSE itself is the counterexample :)

When you mount a FUSE fs your fs daemon can freely choose ownership 
and permission for the files it serves.

I don't claim that not hardcoding the mount util would be easily
exploitable because of this -- fusermount can't take an executable from
under a FUSE mount unless "allow_other" was used, and get fusermount to
use two different mount programs in sequel might not be possible for an
ordinary user --  but the gap between such a practice and having a
security hole is probably not as big as you suggest.

Csaba


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
fuse-devel mailing list
fuse-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fuse-devel
[prev in list] [next in list] [prev in thread] [next in thread]