Mic92 / envfs

Fuse filesystem that returns symlinks to executables based on the PATH of the requesting process.
244 stars 5 forks source link

File permissions too open #166

Open con-f-use opened 4 weeks ago

con-f-use commented 4 weeks ago

I have run into a use-case where the 3rd-party app actually checks that the file is not only root owned, but also no one but the root-user has write permissions.

Can we make the file appear as a regular file, not a symlink and the apparent permissions for envfs-provided executables either configurable, or remove the write bit for group and others?

Mic92 commented 4 weeks ago

I would like to avoid regular files, because we than also have to implement a whole other things and we would have to send all reads through fuse, which has significant performance impact. Removing write permission sounds doable though and a very easy fix.

con-f-use commented 4 weeks ago

I'll take it. Thanks!

Only solves part of my problem, but at least one of the three apps I'm after would work. Are you sure you it's that annoying to do? I'd really love regular files, too.

The app maintainers rationalize this by "we are usually run as root and we don't want people to hijack our root by overwriting the executables we call" - but at that point, there's probably other issues and also, they could just call "sudo " instead or prompt the user if it's okay, or they could follow symlinks and check their targets instead :shrug:.

Mic92 commented 4 weeks ago

Mhm actually, how do your programs check permissions?

No symlink exists on stat():

% ls -la /usr/bin/python
lsd: /usr/bin/python: No such file or directory (os error 2).
Mic92 commented 4 weeks ago

So I can't remove write permission from something that does not exist on a filesystem that is not writeable.

Mic92 commented 4 weeks ago

Ah. found something.

con-f-use commented 4 weeks ago

They are closed source, so I can't tell you without significant effort. One only checks for root, the other for read-only root somehow. Or at least they complain about trying to run ip and the executable being writable for non-root.

Mic92 commented 4 weeks ago

strace -f usually is the best tool for this. But anyway. I assume it's some sort of openat() + fstat(). Otherwise it would follow symlinks and normal stat() doesn't work.

con-f-use commented 4 weeks ago

Just for the record, how would I go about to simulate actual regular files instead of symlinks? I don't care about performance in that particular case.

Mic92 commented 4 weeks ago

You would need to track inodes and implement read.

Mic92 commented 4 weeks ago

https://github.com/cberner/fuser/blob/master/examples/hello.rs