summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* util/ulockmgr_server.c: conditionally define closefrom (fix glibc-2.34+)fuse_2_9_bugfixSam James2021-07-252-0/+7
| | | | | | | | | closefrom(3) has joined us in glibc-land from *BSD and Solaris. Since it's available in glibc 2.34+, we want to detect it and only define our fallback if the libc doesn't provide it. Bug: https://bugs.gentoo.org/803923 Signed-off-by: Sam James <sam@gentoo.org>
* Correct errno comparison (#571)Andrew Gaul2020-12-141-1/+1
|
* Whitelist UFSD (backport to 2.9 branch) (#452)tenzap2019-09-152-0/+7
|
* Released 2.9.9fuse-2.9.9Nikolaus Rath2019-01-044-4/+5
|
* Added OpenAFS to type whitelistNikolaus Rath2019-01-042-0/+4
| | | | Fixes: #336.
* Fix readdir() bug when a non-zero offset is specified in fillerRostislav Skudnov2018-07-253-2/+76
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The bug occurs when a filesystem client reads a directory until the end, seeks using seekdir() to some valid non-zero position and calls readdir(). A valid 'struct dirent *' is expected, but NULL is returned instead. Pseudocode demonstrating the bug: DIR *dp = opendir("some_dir"); struct dirent *de = readdir(dp); /* Get offset of the second entry */ long offset = telldir(dp); /* Read directory until the end */ while (de) de = readdir(de); seekdir(dp, offset); de = readdir(dp); /* de must contain the second entry, but NULL is returned instead */ The reason of the bug is that when the end of directory is reached, the kernel calls FUSE_READDIR op with an offset at the end of directory, so the filesystem's .readdir callback never calls the filler function, and we end up with dh->filled set to 1. After seekdir(), FUSE_READDIR is called again with a new offset, but this time the filesystem's .readdir callback is never called, and an empty reply is returned. Fix by setting dh->filled to 1 only when zero offsets are given to filler function. This commit is backported from the following commit in 'master' branch: commit 5f125c5e6be24c8d216a4d3c623dc73d742c8c86 Author: Rostislav <rostislav@users.noreply.github.com> Date: Sat Jul 21 12:57:09 2018 +0300 Fix readdir() bug when a non-zero offset is specified in filler (#269)
* Released 2.9.8fuse-2.9.8Nikolaus Rath2018-07-254-24/+13
|
* Add changelog entry for commit b045e.Nikolaus Rath2018-07-211-0/+2
|
* Added ChangeLog entry for hardening patches.Nikolaus Rath2018-07-211-0/+8
|
* fusermount: whitelist known-good filesystems for mountpointsJann Horn2018-07-211-1/+49
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Before: $ _FUSE_COMMFD=1 priv_strace -s8000 -e trace=mount util/fusermount3 /proc/self/fd mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "fd=3,rootmode=40000,user_id=379777,group_id=5001") = 0 sending file descriptor: Socket operation on non-socket +++ exited with 1 +++ After: $ _FUSE_COMMFD=1 priv_strace -s8000 -e trace=mount util/fusermount3 /proc/self/fd util/fusermount3: mounting over filesystem type 0x009fa0 is forbidden +++ exited with 1 +++ This patch could potentially have security impact on some systems that are configured with allow_other; see https://launchpad.net/bugs/1530566 for an example of how a similar issue in the ecryptfs mount helper was exploitable. However, the FUSE mount helper performs slightly different security checks, so that exact attack doesn't work with fusermount; I don't know of any specific attack you could perform using this, apart from faking the SELinux context of your process when someone's looking at a process listing. Potential targets for overwrite are (looking on a system with a 4.9 kernel): writable only for the current process: /proc/self/{fd,map_files} (Yes, "ls -l" claims that you don't have write access, but that's not true; "find -writable" will show you what access you really have.) writable also for other owned processes: /proc/$pid/{sched,autogroup,comm,mem,clear_refs,attr/*,oom_adj, oom_score_adj,loginuid,coredump_filter,uid_map,gid_map,projid_map, setgroups,timerslack_ns}
* fusermount: refuse unknown optionsJann Horn2018-07-211-1/+7
| | | | | | | | | | | | Blacklists are notoriously fragile; especially if the kernel wishes to add some security-critical mount option at a later date, all existing systems with older versions of fusermount installed will suddenly have a security problem. Additionally, if the kernel's option parsing became a tiny bit laxer, the blacklist could probably be bypassed. Whitelist known-harmless flags instead, even if it's slightly more inconvenient.
* fusermount: bail out on transient config read failureJann Horn2018-07-211-0/+9
| | | | | | | | | | | | | | | If an attacker wishes to use the default configuration instead of the system's actual configuration, they can attempt to trigger a failure in read_conf(). This only permits increasing mount_max if it is lower than the default, so it's not particularly interesting. Still, this should probably be prevented robustly; bail out if funny stuff happens when we're trying to read the config. Note that the classic attack trick of opening so many files that the system-wide limit is reached won't work here - because fusermount only drops the fsuid, not the euid, the process is running with euid=0 and CAP_SYS_ADMIN, so it bypasses the number-of-globally-open-files check in get_empty_filp() (unless you're inside a user namespace).
* fusermount: don't feed "escaped commas" into mount optionsJann Horn2018-07-211-1/+4
| | | | | | | | | | | | | | The old code permits the following behavior: $ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument) However, backslashes do not have any special meaning for the kernel here. As it happens, you can't abuse this because there is no FUSE mount option that takes a string value that can contain backslashes; but this is very brittle. Don't interpret "escape characters" in places where they don't work.
* Fix SIGSEGV when fuse_interrupted() is called outside the eventloopAlexander2018-07-091-1/+3
|
* rename: perform user mode dir loop check when not done in kernelBill Zissimopoulos2018-06-073-0/+279
| | | | | | | | | | | | Linux performs the dir loop check (rename(a, a/b/c) or rename(a/b/c, a), etc.) in kernel. Unfortunately other systems do not perform this check (e.g. FreeBSD). This results in a deadlock in get_path2, because libfuse did not expect to handle such cases. We add a check_dir_loop function that performs the dir loop check in user mode and enable it on systems that need it.
* fix documentation for opendir in fuse_operationsCarl Edquist2018-05-241-1/+1
| | | | | the filehandle from opendir is passed to releasedir - there is no closedir function in fuse_operations
* Document that client pid/gid/uid may be zero.Nikolaus Rath2016-10-021-1/+8
| | | | Fixes #67.
* Released 2.9.7.fuse-2.9.7fuse-2_9_bugfixNikolaus Rath2016-06-204-4/+10
|
* libfuse/fuse_daemonize: wait until daemon child process is ready (#55)Hendrik Brueckner2016-06-202-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Mounting a FUSE file system remotely using SSH in combination with pseudo-terminal allocation (-t), results in "Transport endpoint is not connected" errors when trying to access the file system contents. For example: # ssh -t root@localhost "cmsfs-fuse /dev/disk/by-path/ccw-0.0.0190 /CMSFS" Connection to localhost closed. # ls /CMSFS ls: cannot access '/CMSFS': Transport endpoint is not connected The cmsfs-fuse main program (which can also be any other FUSE file system) calls into the fuse_main() libfuse library function. The fuse_main() function later calls fuse_daemonize() to fork the daemon process to handle the FUSE file system I/O. The fuse_daemonize() function calls fork() as usual. The child proceeds with setsid() and then redirecting its file descriptors to /dev/null etc. The parent process, simply exits. The child's functions and the parent's exit creates a subtle race. This is seen with an SSH connection. The SSH command above calls cmsfs-fuse on an allocated pseudo-terminal device (-t option). If the parent exits, SSH receives the command completion and closes the connection, that means, it closes the master side of the pseudo-terminal. This causes a HUP signal being sent to the process group on the pseudo-terminal. At this point in time, the child might not have completed the setsid() call and, hence, becomes terminated. Note that fuse daemon sets up its signal handlers after fuse_daemonize() has completed. Even if the child has the chance to disassociate from its parent process group to become it's own process group with setsid(), the child still has the pseudo-terminal opened as stdin, stdout, and stderr. So the pseudo-terminal still behave as controlling terminal and might cause a SIGHUP at closing the the master side. To solve the problem, the parent has to wait until the child (the fuse daemon process) has completed its processing, that means, has become its own process group with setsid() and closed any file descriptors pointing to the pseudo-terminal. Closes: #27 Reported-by: Ofer Baruch <oferba@il.ibm.com> Reviewed-by: Gerald Schaefer <gerald.schaefer@de.ibm.com> Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
* libfuse: pass security context options to kernelDalvik Khertel2016-06-202-0/+9
| | | | | | | | | | | Mount can be used with an "-o context=" option in order to specify a mountpoint-wide SELinux security context different from the default context provided by the active SELinux policy. This is useful in order to enable users to mount multiple sshfs targets under distinct contexts, which is my main motivation for getting this patch mainlined. Closes: #36
* Fix ambigious conditionNikolaus Rath2016-06-051-1/+1
| | | | Fixes #42.
* Released 2.9.6fuse-2.9.6Nikolaus Rath2016-04-234-2/+9
|
* Fix description of bug #15.Nikolaus Rath2016-02-021-9/+19
|
* Document bug #15.Nikolaus Rath2016-02-011-2/+12
|
* Include documentation in tarball.Nikolaus Rath2016-01-283-2/+6
|
* Remove "credits" section, we now have an AUTHORS file.Nikolaus Rath2016-01-281-12/+0
|
* Released 2.9.5fuse_2_9_5Nikolaus Rath2016-01-142-3/+3
|
* Mention new maintainer in Changelog.Nikolaus Rath2016-01-141-1/+5
|
* Changed Changelog formatNikolaus Rath2016-01-141-38/+24
| | | | | | | | | Up to now, the Changelog has essentially been a (manually maintained) copy of the git commit history. This doesn't seem to have any point other than following the GNU coding standards. I believe it's much better to use the Changelog to summarize the release-to-release changes that are most important for users, so this is what we'll do from now on.
* Removed placeholder README file and switch automake to foreign flavor.Nikolaus Rath2016-01-142-4/+1
| | | | | | The GNU flavor merely requires to existence of some files (including README, but we prefer README.md), so there seems to be little point in using it.
* Removed hopelessly outdated files.Nikolaus Rath2016-01-143-427/+1
|
* Enable subdir-objects automake optionNikolaus Rath2016-01-142-0/+2
| | | | This is recommended for forward-compatibility.
* Update makeconf.shNikolaus Rath2016-01-141-26/+7
| | | | | | | | | Describe why manual copying of config.rpath is necessary, and fail with a more helpful message if it can't be found. Remove code for systems without autoreconf - it's apparently not used by anyone since it has been broken for quite some time (there is no `kernel` directory anymore).
* Update maintainer and contributor listNikolaus Rath2016-01-141-6/+49
|
* Extend write_buf documentationNikolaus Rath2016-01-141-0/+5
|
* Initialize padding to zero.Nikolaus Rath2016-01-141-0/+1
| | | | This should prevent some valgrind warnings.
* Migrated README to README.md for Markdown rendering on GitHub.Nikolaus Rath2015-12-202-379/+100
|
* libfuse: fix warning mount.c:receive_fd()Miklos Szeredi2015-08-122-1/+6
| | | | Reported by Albert Berger
* libfuse: fix possible memory leakMiklos Szeredi2015-06-292-1/+5
| | | | Reported by Jose R. Guzman
* Released 2.9.4fuse_2_9_4Miklos Szeredi2015-05-223-2/+6
|
* libfuse: fix exec environment for mount and umountMiklos Szeredi2015-05-222-6/+22
| | | | Found by Tavis Ormandy (CVE-2015-3202).
* libfuse: fix fuse_remove_signal_handlers()Miklos Szeredi2015-02-262-11/+16
| | | | | | to properly restore the default signal handler. Reported by: Chris Johnson <johnsocg@gmail.com>
* libfuse: document deadlock avoidance for fuse_notify_inval_entry()Miklos Szeredi2014-07-222-0/+11
| | | | | | and fuse_notify_delete() Reported by Han-Wen Nienhuys
* Initilaize stat buffer passed to ->getattr() and ->fgetattr()Miklos Szeredi2014-07-222-0/+7
| | | | | | to zero in all cases. Reported by Daniel Iwan.
* Advertize the existence of some "configure" env vars.Fabrice Bauzac2014-07-221-0/+3
| | | | | Advertize the existence of env vars MOUNT_FUSE_PATH, UDEV_RULES_PATH and INIT_D_PATH in the execution of ./configure.
* libfuse: highlevel API: fix directory file handle passed to ioctl() methodMiklos Szeredi2014-07-213-2/+16
| | | | Reported by Eric Biggers
* fusermount, libfuse: send value as unsigned in "user_id=" and "group_id="Miklos Szeredi2014-07-213-3/+10
| | | | | ...options. Uids/gids larger than 2147483647 would result in EINVAL when mounting the filesystem. This also needs a fix in the kernel.
* Add missing includesDaniel Thau2013-08-265-0/+9
| | | | This allows compiling fuse with musl.
* Released 2.9.3fuse_2_9_3Miklos Szeredi2013-07-013-2/+6
|
* libfuse: don't close fd if it's -1Miklos Szeredi2013-07-011-1/+4
| | | | This prevents a valgrind warning.
View Lorry Controller Status