Por que o FUSE pode ser considerado inseguro no servidor?

3

O OpenSUSE vem com várias configurações de permissões predefinidas. Um paranóico é mais restritivo. Embora eu entenda por que ele bloqueia coisas como virtualização ou tty broadcasts para usuários não-root, eu realmente não entendo porque ele também bloqueia fuse . Existe algum problema real de segurança introduzido pelo fusível, por exemplo, no servidor compartilhado?

    
por Lapsio 29.09.2016 / 13:38

1 resposta

1

Este comentário útil vincula a esta página da Web . Abaixo está um extrato da página:

Security Concerns

Writing and using a FUSE filesystem can have some Metrodome-sized security concerns that may or may not be obvious, but deserve some mention. In this section, I'll be talking about privilege escalation, giving some notes on checking access rights, and mentioning race conditions.

Privilege Escalation

The main point to make is that the filesystem itself executes with the access privileges of the process running it, not those of the process making use of the filesystem. Here's how this plays out in some typical scenarios:

The Common Case: a User Runs the Filesystem Without the allow_other Option

This is the normal case; the filesystem runs with the privileges of the user that ran it, and only that user can access the filesystem. FUSE doesn't open up any particular security issues in this case.

A User Runs the Filesystem With the allow_other Option

In this case, the filesystem runs with the privileges of the user that invoked it, not the privileges of any user who happens to make use of the filesystem. It's the responsibility of the user who mounts the filesystem to ensure inappropriate access privileges aren't being granted to other users. In general, users can only hurt themselves this way, since they can only grant privileges that they themselves already have.

It should be noted that an option, user_allow_other, must be set in /etc/fuse.conf to enable this option.

Root Runs a Filesystem

This is really the same as the previous two cases (depending on whether the allow_other option is set), but root is a sufficiently special case that it deserves mention. In this case, any user making use of the filesystem has root privileges on that filesystem! If the process has access to the actual filesystem, this could easily be used to gain pretty much unlimited access.

The next subsection will talk a little bit about checking access rights, but the simplest way out here is to not allow root to mount the filesystem. […]

Checking Access Rights

In general, a filesystem that might be executed with the allow_other flag will need to take steps to ensure its own security. fuse.h documents that several calls need to check that the requested access is permitted; in addition to those, there are several others that also require access checks (such as chown()). It is strictly the programmer's responsibility to make sure these cautions are followed!

[…]

Simultaneous Access and Race Conditions

By default, FUSE runs multi-threaded: this means (in brief) that a second request can be handled by the filesystem before an earlier request has completed; this in turn raises the possibility that different threads can be simultaneously modifying a single data structure, which will cause very difficult-to-debug bugs.

[…]

    
por 19.08.2017 / 10:40