diff options
author | Miklos Szeredi <miklos@szeredi.hu> | 2005-07-05 12:47:24 +0000 |
---|---|---|
committer | Miklos Szeredi <miklos@szeredi.hu> | 2005-07-05 12:47:24 +0000 |
commit | e2e23c9379c745db2c8d48bbd8298720b13b56c5 (patch) | |
tree | 1c6ba310b23caf0af373eafc9fc5ba9de1e10e68 /doc/kernel.txt | |
parent | bb9f51774c340883b5463aab8346dee5cef6b83d (diff) |
fix
Diffstat (limited to 'doc/kernel.txt')
-rw-r--r-- | doc/kernel.txt | 27 |
1 files changed, 25 insertions, 2 deletions
diff --git a/doc/kernel.txt b/doc/kernel.txt index 0331ccc..1451d11 100644 --- a/doc/kernel.txt +++ b/doc/kernel.txt @@ -41,6 +41,24 @@ using the sftp protocol. Mount options ~~~~~~~~~~~~~ +'fd=N' + + The file descriptor to use for communication between the userspace + filesystem and the kernel. The file descriptor must have been + obtained by opening the FUSE device ('/dev/fuse'). + +'rootmode=M' + + The file mode of the filesystem's root in octal representation. + +'user_id=N' + + The numeric user id of the mount owner. + +'group_id=N' + + The numeric group id of the mount owner. + 'default_permissions' By default FUSE doesn't check file access permissions, the @@ -148,14 +166,14 @@ How are requirements fulfilled? 2) Even if 1) is solved the mount owner can change the behavior of other users' processes. - - It can slow down or indefinitely delay the execution of a + i) It can slow down or indefinitely delay the execution of a filesystem operation creating a DoS against the user or the whole system. For example a suid application locking a system file, and then accessing a file on the mount owner's filesystem could be stopped, and thus causing the system file to be locked forever. - - It can present files or directories of unlimited length, or + ii) It can present files or directories of unlimited length, or directory structures of unlimited depth, possibly causing a system process to eat up diskspace, memory or other resources, again causing DoS. @@ -168,6 +186,11 @@ How are requirements fulfilled? ptrace can be used to check if a process is allowed to access the filesystem or not. + Note that the ptrace check is not strictly necessary to + prevent B/2/i, it is enough to check if mount owner has enough + privilege to send signal to the process accessing the + filesystem, since SIGSTOP can be used to get a similar effect. + I think these limitations are unacceptable? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |