linux/include
Miklos Szeredi d8a5ba4545 [PATCH] FUSE - core
This patch adds FUSE core.

This contains the following files:

 o inode.c
    - superblock operations (alloc_inode, destroy_inode, read_inode,
      clear_inode, put_super, show_options)
    - registers FUSE filesystem

 o fuse_i.h
    - private header file

Requirements
============

 The most important difference between orinary filesystems and FUSE is
 the fact, that the filesystem data/metadata is provided by a userspace
 process run with the privileges of the mount "owner" instead of the
 kernel, or some remote entity usually running with elevated
 privileges.

 The security implication of this is that a non-privileged user must
 not be able to use this capability to compromise the system.  Obvious
 requirements arising from this are:

  - mount owner should not be able to get elevated privileges with the
    help of the mounted filesystem

  - mount owner should not be able to induce undesired behavior in
    other users' or the super user's processes

  - mount owner should not get illegitimate access to information from
    other users' and the super user's processes

 These are currently ensured with the following constraints:

  1) mount is only allowed to directory or file which the mount owner
    can modify without limitation (write access + no sticky bit for
    directories)

  2) nosuid,nodev mount options are forced

  3) any process running with fsuid different from the owner is denied
     all access to the filesystem

 1) and 2) are ensured by the "fusermount" mount utility which is a
    setuid root application doing the actual mount operation.

 3) is ensured by a check in the permission() method in kernel

 I started thinking about doing 3) in a different way because Christoph
 H. made a big deal out of it, saying that FUSE is unacceptable into
 mainline in this form.

 The suggested use of private namespaces would be OK, but in their
 current form have many limitations that make their use impractical (as
 discussed in this thread).

 Suggested improvements that would address these limitations:

   - implement shared subtrees

   - allow a process to join an existing namespace (make namespaces
     first-class objects)

   - implement the namespace creation/joining in a PAM module

 With all that in place the check of owner against current->fsuid may
 be removed from the FUSE kernel module, without compromising the
 security requirements.

 Suid programs still interesting questions, since they get access even
 to the private namespace causing some information leak (exact
 order/timing of filesystem operations performed), giving some
 ptrace-like capabilities to unprivileged users.  BTW this problem is
 not strictly limited to the namespace approach, since suid programs
 setting fsuid and accessing users' files will succeed with the current
 approach too.

Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-09 14:03:44 -07:00
..
acpi [ACPI] ACPICA 20050902 2005-09-03 00:15:11 -04:00
asm-alpha [PATCH] Make sparc64 use setup-res.c 2005-09-08 14:57:25 -07:00
asm-arm [PATCH] s3c2410fb: ARM S3C2410 framebuffer driver 2005-09-09 14:03:42 -07:00
asm-arm26 [PATCH] Clean up struct flock64 definitions 2005-09-07 16:57:38 -07:00
asm-cris [PATCH] Clean up struct flock64 definitions 2005-09-07 16:57:38 -07:00
asm-frv [PATCH] Clean up struct flock64 definitions 2005-09-07 16:57:38 -07:00
asm-generic [PATCH] Make sparc64 use setup-res.c 2005-09-08 14:57:25 -07:00
asm-h8300 [PATCH] Clean up struct flock64 definitions 2005-09-07 16:57:38 -07:00
asm-i386 [PATCH] fix reboot via keyboard controller reset 2005-09-09 13:57:35 -07:00
asm-ia64 [PATCH] Prefetch kernel stacks to speed up context switch 2005-09-09 13:57:31 -07:00
asm-m32r [PATCH] Clean up struct flock64 definitions 2005-09-07 16:57:38 -07:00
asm-m68k [PATCH] Clean up struct flock64 definitions 2005-09-07 16:57:38 -07:00
asm-m68knommu [PATCH] m68knommu: include ColdFire 523x processor register definitions 2005-09-08 17:27:37 -07:00
asm-mips [PATCH] remove unnecessary handle_IRQ_event() prototypes 2005-09-09 13:57:33 -07:00
asm-parisc [PATCH] Make sparc64 use setup-res.c 2005-09-08 14:57:25 -07:00
asm-powerpc [PATCH] powerpc: Fix __power64__ typos that should be __powerpc64__ 2005-09-09 22:11:35 +10:00
asm-ppc [PATCH] remove unnecessary handle_IRQ_event() prototypes 2005-09-09 13:57:33 -07:00
asm-ppc64 Merge master.kernel.org:/pub/scm/linux/kernel/git/paulus/ppc64-2.6 2005-09-09 10:38:02 -07:00
asm-s390 [PATCH] Clean up struct flock64 definitions 2005-09-07 16:57:38 -07:00
asm-sh [PATCH] remove unnecessary handle_IRQ_event() prototypes 2005-09-09 13:57:33 -07:00
asm-sh64 [PATCH] Clean up struct flock64 definitions 2005-09-07 16:57:38 -07:00
asm-sparc [PATCH] Clean up struct flock64 definitions 2005-09-07 16:57:38 -07:00
asm-sparc64 Merge master.kernel.org:/pub/scm/linux/kernel/git/gregkh/pci-2.6 2005-09-08 15:55:23 -07:00
asm-um [PATCH] remove asm-*/hdreg.h 2005-09-07 16:57:30 -07:00
asm-v850 [PATCH] Clean up struct flock64 definitions 2005-09-07 16:57:38 -07:00
asm-x86_64 [PATCH] remove unnecessary handle_IRQ_event() prototypes 2005-09-09 13:57:33 -07:00
asm-xtensa [PATCH] Clean up struct flock64 definitions 2005-09-07 16:57:38 -07:00
linux [PATCH] FUSE - core 2005-09-09 14:03:44 -07:00
math-emu
media [PATCH] v4l: tveeprom improved to support newer Hauppage cards 2005-09-09 13:57:54 -07:00
mtd [MTD] NAND: Honour autoplacement schemes supplied by the caller 2005-05-23 13:20:45 +02:00
net [AX.25]: Make asc2ax() thread-proof 2005-09-08 13:40:41 -07:00
pcmcia [PATCH] pcmcia: add pcmcia to IRQ information 2005-09-09 13:57:48 -07:00
rdma [PATCH] IB: move include files to include/rdma 2005-08-26 20:37:38 -07:00
rxrpc
scsi Merge by hand (conflicts in sd.c) 2005-09-06 17:52:54 -05:00
sound [PATCH] DocBook: fix kernel-api documentation generation 2005-09-09 14:03:43 -07:00
video [PATCH] framebuffer: new driver for cyberblade/i1 graphics core 2005-09-09 13:58:02 -07:00