Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fuse: allow user configuration of fuse.conf #53074

Closed
wants to merge 1 commit into from

Conversation

furrycatherder
Copy link
Contributor

@furrycatherder furrycatherder commented Dec 30, 2018

Motivation for this change

#53072 requires user_allow_other in fuse.conf to work, this PR makes it user configurable.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@bjornfor
Copy link
Contributor

Doesn't fuse read /etc/fuse.conf, the system-wide config file? What are the consequences of defaulting to user allow other?

@furrycatherder
Copy link
Contributor Author

I'm really not sure. I don't have an /etc/fuse.conf.

sean@akita ~> fuse-overlayfs -o lowerdir=/lower -o upperdir=/upper -o workdir=/work /merged
UID=unchanged
GID=unchanged
UPPERDIR=/upper
WORKDIR=/work
LOWERDIR=/lower
MOUNTPOINT=/merged
fusermount3: option allow_other only allowed if 'user_allow_other' is set in /nix/store/mg0gkrvxyl640abb4v961b8ggrzn4vaq-fuse-3.2.6/etc/fuse.conf
fuse-overlayfs: cannot mount: Operation not permitted

It would be nice to find out where this fuse.conf is coming from.

       allow_other
              This option overrides the security measure restricting  file  access  to  the  user
              mounting the filesystem.  So all users (including root) can access the files.  This
              option is by default only allowed to root, but this restriction can be removed with
              a configuration option described in the previous section.

This could be debated but my thought is that most fuse mounts are done within a directory that restricts read access to the mounting user (namely the user's home directory).

@nixos-discourse
Copy link

This pull request has been mentioned on Nix community. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review-december/1711/9

@furrycatherder
Copy link
Contributor Author

@bjornfor I changed userAllowOther to default to false, this should be uncontroversial. Can you approve the PR?

@primeos
Copy link
Member

primeos commented Apr 7, 2019

@furrycatherder thanks for this PR it would do the job but unfortunately I have to close it in favor of #59043. The advantage of the approach in #59043 is that it does not require a rebuild of fuse3 when changing the defaults. And since a lot of packages depend on fuse3 it could take very long to rebuild one's system.

@primeos primeos closed this Apr 7, 2019
@furrycatherder furrycatherder deleted the fuse-conf branch April 8, 2019 14:14
@furrycatherder
Copy link
Contributor Author

@primeos Thanks for the feedback. Any solution works for me. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants