On 21.06.21 18:12, Kevin Wolf wrote:
> Am 14.06.2021 um 16:44 hat Max Reitz geschrieben:
>> Hi,
>>
>> With the default mount options, FUSE mounts are not accessible to any
>> users but the one who did the mount, not even to root. To allow such
>> accesses, allow_other must be passed.
>>
>> This is probably useful to some people (it certainly is to me, e.g. when
>> exporting some image as my normal user, and then trying to loop mount it
>> as root), so this series adds a QAPI allow-other bool that will make the
>> FUSE export code pass allow_other,default_permissions to FUSE.
>>
>> (default_permissions will make the kernel do the usual UNIX permission
>> checks, which is something that makes a lot of sense when allowing other
>> users access to the export.)
>>
>> This also requires our SETATTR code to be able to handle permission
>> changes, though, so the user can then run chmod/chown/chgrp on the
>> export to adjust its permissions to their need.
>>
>> The final patch adds a test.
> If there is even a use case for leaving the option off (not trusting
> root?), it must certainly be the less common case? So I'm not sure if
> allow-other should be an option at all, but if it is, enabling it by
> default would make more sense to me.
>
> Is there a reason why you picked false as the default, except that it is
> the old behaviour?
No. :)
Well, mostly. I also thought, if FUSE thinks allow_other shouldn’t be
the default, who am I to decide otherwise.
Now that I tried to find out why FUSE has it as the default (I only
remember vague “security reasons”), I still couldn’t find out why, but I
did find that using this option as non-root user requires /etc/fuse.conf
to have user_allow_other in it, which I don’t think we can require.
So I think it must be an option. As for which value should be the
default, that probably depends on how common having user_allow_other in
/etc/fuse.conf is. I know I never put it there, and it’s both on my
Fedora and my Arch system. So I guess it seems rather common?
Max