search

AppImage / type2-runtime

The runtime is the executable part of every AppImage. It mounts the payload via FUSE and executes the entrypoint.
Other
17 stars 13 forks source link

Mount a FUSE filesystem without use of root or fusermount (suid) #71

Open probonopd opened 3 weeks ago

probonopd commented 3 weeks ago

As @mgord9518 pointed out:

https://github.com/AppImage/type2-runtime/pull/32#issuecomment-2296448370

It’s possible to mount a FUSE filesystem without use of root permissions or SUID binaries by doing the mount inside of a user namespace.

VERY interesting @mgord9518. πŸ’― I think you are up to something. That suid helper binary always bothered be to begin with.

Does anyone know how to actually implement this, in code? Any help appreciated πŸ‘

mgord9518 commented 2 weeks ago

For a trivial example, you can just use unshare --mount --user -r, which will create a fake root environment which FUSE can be mounted from. An issue I see is that it's almost like a sandbox, so the behavior won't just be 1:1 with using fusermount.

Maybe someone should experiment with launching AppImages from this shell environment to see how differently the applications behave before implementing anything in C

TheAssassin commented 2 weeks ago

user namespace

For security reasons, user namespaces have been restricted resp. locked down more again on many OSes. I could imagine that this would cause issues with rootless FUSE. Plus, they've never been enabled on a lot of popular distros.

probonopd commented 2 weeks ago

Isn't Bubblewrap using this, too? Which would mean that at least all distributions that support Flatpak should have this enabled by default?

mgord9518 commented 2 weeks ago

Isn't Bubblewrap using this, too? Which would mean that at least all distributions that support Flatpak should have this enabled by default?

As far as I know. I believe it also has an SUID version but normal bubblewrap uses unprivileged namespaces. Even with the distros that disable them (like Ubuntu), many distros still support them out of the box. Nix, Arch and LM right off the top of my head, so assuming we can actually get it to feel like there's no difference it's probably worth it

I've started on making a new AppImage runtime in Zig and I'll try to implement mounting with namespaces

Samueru-sama commented 2 weeks ago

For a trivial example, you can just use unshare --mount --user -r, which will create a fake root environment which FUSE can be mounted from. An issue I see is that it's almost like a sandbox, so the behavior won't just be 1:1 with using fusermount.

Maybe someone should experiment with launching AppImages from this shell environment to see how differently the applications behave before implementing anything in C

I tested this with the nvtop appimage, it has an odd issue that I can no longer see the active processes, it also breaks the cpu-x daemon.