]>
Commit | Line | Data |
---|---|---|
334f485d MS |
1 | Definitions |
2 | ~~~~~~~~~~~ | |
3 | ||
4 | Userspace filesystem: | |
5 | ||
6 | A filesystem in which data and metadata are provided by an ordinary | |
7 | userspace process. The filesystem can be accessed normally through | |
8 | the kernel interface. | |
9 | ||
10 | Filesystem daemon: | |
11 | ||
12 | The process(es) providing the data and metadata of the filesystem. | |
13 | ||
14 | Non-privileged mount (or user mount): | |
15 | ||
16 | A userspace filesystem mounted by a non-privileged (non-root) user. | |
17 | The filesystem daemon is running with the privileges of the mounting | |
18 | user. NOTE: this is not the same as mounts allowed with the "user" | |
19 | option in /etc/fstab, which is not discussed here. | |
20 | ||
bafa9654 MS |
21 | Filesystem connection: |
22 | ||
23 | A connection between the filesystem daemon and the kernel. The | |
24 | connection exists until either the daemon dies, or the filesystem is | |
25 | umounted. Note that detaching (or lazy umounting) the filesystem | |
26 | does _not_ break the connection, in this case it will exist until | |
27 | the last reference to the filesystem is released. | |
28 | ||
334f485d MS |
29 | Mount owner: |
30 | ||
31 | The user who does the mounting. | |
32 | ||
33 | User: | |
34 | ||
35 | The user who is performing filesystem operations. | |
36 | ||
37 | What is FUSE? | |
38 | ~~~~~~~~~~~~~ | |
39 | ||
40 | FUSE is a userspace filesystem framework. It consists of a kernel | |
41 | module (fuse.ko), a userspace library (libfuse.*) and a mount utility | |
42 | (fusermount). | |
43 | ||
44 | One of the most important features of FUSE is allowing secure, | |
45 | non-privileged mounts. This opens up new possibilities for the use of | |
46 | filesystems. A good example is sshfs: a secure network filesystem | |
47 | using the sftp protocol. | |
48 | ||
49 | The userspace library and utilities are available from the FUSE | |
50 | homepage: | |
51 | ||
52 | http://fuse.sourceforge.net/ | |
53 | ||
54 | Mount options | |
55 | ~~~~~~~~~~~~~ | |
56 | ||
57 | 'fd=N' | |
58 | ||
59 | The file descriptor to use for communication between the userspace | |
60 | filesystem and the kernel. The file descriptor must have been | |
61 | obtained by opening the FUSE device ('/dev/fuse'). | |
62 | ||
63 | 'rootmode=M' | |
64 | ||
65 | The file mode of the filesystem's root in octal representation. | |
66 | ||
67 | 'user_id=N' | |
68 | ||
69 | The numeric user id of the mount owner. | |
70 | ||
71 | 'group_id=N' | |
72 | ||
73 | The numeric group id of the mount owner. | |
74 | ||
75 | 'default_permissions' | |
76 | ||
77 | By default FUSE doesn't check file access permissions, the | |
78 | filesystem is free to implement it's access policy or leave it to | |
79 | the underlying file access mechanism (e.g. in case of network | |
80 | filesystems). This option enables permission checking, restricting | |
81 | access based on file mode. This is option is usually useful | |
82 | together with the 'allow_other' mount option. | |
83 | ||
84 | 'allow_other' | |
85 | ||
86 | This option overrides the security measure restricting file access | |
87 | to the user mounting the filesystem. This option is by default only | |
88 | allowed to root, but this restriction can be removed with a | |
89 | (userspace) configuration option. | |
90 | ||
334f485d MS |
91 | 'max_read=N' |
92 | ||
93 | With this option the maximum size of read operations can be set. | |
94 | The default is infinite. Note that the size of read requests is | |
95 | limited anyway to 32 pages (which is 128kbyte on i386). | |
96 | ||
bafa9654 MS |
97 | Control filesystem |
98 | ~~~~~~~~~~~~~~~~~~ | |
99 | ||
100 | There's a control filesystem for FUSE, which can be mounted by: | |
bacac382 | 101 | |
bafa9654 | 102 | mount -t fusectl none /sys/fs/fuse/connections |
bacac382 | 103 | |
bafa9654 MS |
104 | Mounting it under the '/sys/fs/fuse/connections' directory makes it |
105 | backwards compatible with earlier versions. | |
bacac382 | 106 | |
bafa9654 MS |
107 | Under the fuse control filesystem each connection has a directory |
108 | named by a unique number. | |
bacac382 | 109 | |
bafa9654 | 110 | For each connection the following files exist within this directory: |
bacac382 MS |
111 | |
112 | 'waiting' | |
113 | ||
114 | The number of requests which are waiting to be transfered to | |
115 | userspace or being processed by the filesystem daemon. If there is | |
116 | no filesystem activity and 'waiting' is non-zero, then the | |
117 | filesystem is hung or deadlocked. | |
118 | ||
119 | 'abort' | |
120 | ||
121 | Writing anything into this file will abort the filesystem | |
122 | connection. This means that all waiting requests will be aborted an | |
123 | error returned for all aborted and new requests. | |
124 | ||
bafa9654 | 125 | Only the owner of the mount may read or write these files. |
bacac382 | 126 | |
a4d27e75 MS |
127 | Interrupting filesystem operations |
128 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
129 | ||
130 | If a process issuing a FUSE filesystem request is interrupted, the | |
131 | following will happen: | |
132 | ||
133 | 1) If the request is not yet sent to userspace AND the signal is | |
134 | fatal (SIGKILL or unhandled fatal signal), then the request is | |
135 | dequeued and returns immediately. | |
136 | ||
137 | 2) If the request is not yet sent to userspace AND the signal is not | |
138 | fatal, then an 'interrupted' flag is set for the request. When | |
139 | the request has been successfully transfered to userspace and | |
140 | this flag is set, an INTERRUPT request is queued. | |
141 | ||
142 | 3) If the request is already sent to userspace, then an INTERRUPT | |
143 | request is queued. | |
144 | ||
145 | INTERRUPT requests take precedence over other requests, so the | |
146 | userspace filesystem will receive queued INTERRUPTs before any others. | |
147 | ||
148 | The userspace filesystem may ignore the INTERRUPT requests entirely, | |
149 | or may honor them by sending a reply to the _original_ request, with | |
150 | the error set to EINTR. | |
151 | ||
152 | It is also possible that there's a race between processing the | |
153 | original request and it's INTERRUPT request. There are two possibilities: | |
154 | ||
155 | 1) The INTERRUPT request is processed before the original request is | |
156 | processed | |
157 | ||
158 | 2) The INTERRUPT request is processed after the original request has | |
159 | been answered | |
160 | ||
161 | If the filesystem cannot find the original request, it should wait for | |
162 | some timeout and/or a number of new requests to arrive, after which it | |
163 | should reply to the INTERRUPT request with an EAGAIN error. In case | |
164 | 1) the INTERRUPT request will be requeued. In case 2) the INTERRUPT | |
165 | reply will be ignored. | |
166 | ||
bacac382 MS |
167 | Aborting a filesystem connection |
168 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
169 | ||
170 | It is possible to get into certain situations where the filesystem is | |
171 | not responding. Reasons for this may be: | |
172 | ||
173 | a) Broken userspace filesystem implementation | |
174 | ||
175 | b) Network connection down | |
176 | ||
177 | c) Accidental deadlock | |
178 | ||
179 | d) Malicious deadlock | |
180 | ||
181 | (For more on c) and d) see later sections) | |
182 | ||
183 | In either of these cases it may be useful to abort the connection to | |
184 | the filesystem. There are several ways to do this: | |
185 | ||
186 | - Kill the filesystem daemon. Works in case of a) and b) | |
187 | ||
188 | - Kill the filesystem daemon and all users of the filesystem. Works | |
189 | in all cases except some malicious deadlocks | |
190 | ||
191 | - Use forced umount (umount -f). Works in all cases but only if | |
192 | filesystem is still attached (it hasn't been lazy unmounted) | |
193 | ||
bafa9654 MS |
194 | - Abort filesystem through the FUSE control filesystem. Most |
195 | powerful method, always works. | |
bacac382 | 196 | |
334f485d MS |
197 | How do non-privileged mounts work? |
198 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
199 | ||
200 | Since the mount() system call is a privileged operation, a helper | |
201 | program (fusermount) is needed, which is installed setuid root. | |
202 | ||
203 | The implication of providing non-privileged mounts is that the mount | |
204 | owner must not be able to use this capability to compromise the | |
205 | system. Obvious requirements arising from this are: | |
206 | ||
207 | A) mount owner should not be able to get elevated privileges with the | |
208 | help of the mounted filesystem | |
209 | ||
210 | B) mount owner should not get illegitimate access to information from | |
211 | other users' and the super user's processes | |
212 | ||
213 | C) mount owner should not be able to induce undesired behavior in | |
214 | other users' or the super user's processes | |
215 | ||
216 | How are requirements fulfilled? | |
217 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
218 | ||
219 | A) The mount owner could gain elevated privileges by either: | |
220 | ||
221 | 1) creating a filesystem containing a device file, then opening | |
222 | this device | |
223 | ||
224 | 2) creating a filesystem containing a suid or sgid application, | |
225 | then executing this application | |
226 | ||
227 | The solution is not to allow opening device files and ignore | |
228 | setuid and setgid bits when executing programs. To ensure this | |
229 | fusermount always adds "nosuid" and "nodev" to the mount options | |
230 | for non-privileged mounts. | |
231 | ||
232 | B) If another user is accessing files or directories in the | |
233 | filesystem, the filesystem daemon serving requests can record the | |
234 | exact sequence and timing of operations performed. This | |
235 | information is otherwise inaccessible to the mount owner, so this | |
236 | counts as an information leak. | |
237 | ||
238 | The solution to this problem will be presented in point 2) of C). | |
239 | ||
240 | C) There are several ways in which the mount owner can induce | |
241 | undesired behavior in other users' processes, such as: | |
242 | ||
243 | 1) mounting a filesystem over a file or directory which the mount | |
244 | owner could otherwise not be able to modify (or could only | |
245 | make limited modifications). | |
246 | ||
247 | This is solved in fusermount, by checking the access | |
248 | permissions on the mountpoint and only allowing the mount if | |
249 | the mount owner can do unlimited modification (has write | |
250 | access to the mountpoint, and mountpoint is not a "sticky" | |
251 | directory) | |
252 | ||
253 | 2) Even if 1) is solved the mount owner can change the behavior | |
254 | of other users' processes. | |
255 | ||
256 | i) It can slow down or indefinitely delay the execution of a | |
257 | filesystem operation creating a DoS against the user or the | |
258 | whole system. For example a suid application locking a | |
259 | system file, and then accessing a file on the mount owner's | |
260 | filesystem could be stopped, and thus causing the system | |
261 | file to be locked forever. | |
262 | ||
263 | ii) It can present files or directories of unlimited length, or | |
264 | directory structures of unlimited depth, possibly causing a | |
265 | system process to eat up diskspace, memory or other | |
266 | resources, again causing DoS. | |
267 | ||
268 | The solution to this as well as B) is not to allow processes | |
269 | to access the filesystem, which could otherwise not be | |
270 | monitored or manipulated by the mount owner. Since if the | |
271 | mount owner can ptrace a process, it can do all of the above | |
272 | without using a FUSE mount, the same criteria as used in | |
273 | ptrace can be used to check if a process is allowed to access | |
274 | the filesystem or not. | |
275 | ||
276 | Note that the ptrace check is not strictly necessary to | |
277 | prevent B/2/i, it is enough to check if mount owner has enough | |
278 | privilege to send signal to the process accessing the | |
279 | filesystem, since SIGSTOP can be used to get a similar effect. | |
280 | ||
281 | I think these limitations are unacceptable? | |
282 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
283 | ||
284 | If a sysadmin trusts the users enough, or can ensure through other | |
285 | measures, that system processes will never enter non-privileged | |
286 | mounts, it can relax the last limitation with a "user_allow_other" | |
287 | config option. If this config option is set, the mounting user can | |
288 | add the "allow_other" mount option which disables the check for other | |
289 | users' processes. | |
290 | ||
291 | Kernel - userspace interface | |
292 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
293 | ||
294 | The following diagram shows how a filesystem operation (in this | |
295 | example unlink) is performed in FUSE. | |
296 | ||
297 | NOTE: everything in this description is greatly simplified | |
298 | ||
299 | | "rm /mnt/fuse/file" | FUSE filesystem daemon | |
300 | | | | |
301 | | | >sys_read() | |
302 | | | >fuse_dev_read() | |
303 | | | >request_wait() | |
304 | | | [sleep on fc->waitq] | |
305 | | | | |
306 | | >sys_unlink() | | |
307 | | >fuse_unlink() | | |
308 | | [get request from | | |
309 | | fc->unused_list] | | |
310 | | >request_send() | | |
311 | | [queue req on fc->pending] | | |
312 | | [wake up fc->waitq] | [woken up] | |
313 | | >request_wait_answer() | | |
314 | | [sleep on req->waitq] | | |
315 | | | <request_wait() | |
316 | | | [remove req from fc->pending] | |
317 | | | [copy req to read buffer] | |
318 | | | [add req to fc->processing] | |
319 | | | <fuse_dev_read() | |
320 | | | <sys_read() | |
321 | | | | |
322 | | | [perform unlink] | |
323 | | | | |
324 | | | >sys_write() | |
325 | | | >fuse_dev_write() | |
326 | | | [look up req in fc->processing] | |
327 | | | [remove from fc->processing] | |
328 | | | [copy write buffer to req] | |
329 | | [woken up] | [wake up req->waitq] | |
330 | | | <fuse_dev_write() | |
331 | | | <sys_write() | |
332 | | <request_wait_answer() | | |
333 | | <request_send() | | |
334 | | [add request to | | |
335 | | fc->unused_list] | | |
336 | | <fuse_unlink() | | |
337 | | <sys_unlink() | | |
338 | ||
339 | There are a couple of ways in which to deadlock a FUSE filesystem. | |
340 | Since we are talking about unprivileged userspace programs, | |
341 | something must be done about these. | |
342 | ||
343 | Scenario 1 - Simple deadlock | |
344 | ----------------------------- | |
345 | ||
346 | | "rm /mnt/fuse/file" | FUSE filesystem daemon | |
347 | | | | |
348 | | >sys_unlink("/mnt/fuse/file") | | |
349 | | [acquire inode semaphore | | |
350 | | for "file"] | | |
351 | | >fuse_unlink() | | |
352 | | [sleep on req->waitq] | | |
353 | | | <sys_read() | |
354 | | | >sys_unlink("/mnt/fuse/file") | |
355 | | | [acquire inode semaphore | |
356 | | | for "file"] | |
357 | | | *DEADLOCK* | |
358 | ||
51eb01e7 | 359 | The solution for this is to allow the filesystem to be aborted. |
334f485d MS |
360 | |
361 | Scenario 2 - Tricky deadlock | |
362 | ---------------------------- | |
363 | ||
364 | This one needs a carefully crafted filesystem. It's a variation on | |
365 | the above, only the call back to the filesystem is not explicit, | |
366 | but is caused by a pagefault. | |
367 | ||
368 | | Kamikaze filesystem thread 1 | Kamikaze filesystem thread 2 | |
369 | | | | |
370 | | [fd = open("/mnt/fuse/file")] | [request served normally] | |
371 | | [mmap fd to 'addr'] | | |
372 | | [close fd] | [FLUSH triggers 'magic' flag] | |
373 | | [read a byte from addr] | | |
374 | | >do_page_fault() | | |
375 | | [find or create page] | | |
376 | | [lock page] | | |
377 | | >fuse_readpage() | | |
378 | | [queue READ request] | | |
379 | | [sleep on req->waitq] | | |
380 | | | [read request to buffer] | |
381 | | | [create reply header before addr] | |
382 | | | >sys_write(addr - headerlength) | |
383 | | | >fuse_dev_write() | |
384 | | | [look up req in fc->processing] | |
385 | | | [remove from fc->processing] | |
386 | | | [copy write buffer to req] | |
387 | | | >do_page_fault() | |
388 | | | [find or create page] | |
389 | | | [lock page] | |
390 | | | * DEADLOCK * | |
391 | ||
51eb01e7 | 392 | Solution is basically the same as above. |
334f485d | 393 | |
a4d27e75 MS |
394 | An additional problem is that while the write buffer is being copied |
395 | to the request, the request must not be interrupted/aborted. This is | |
396 | because the destination address of the copy may not be valid after the | |
397 | request has returned. | |
334f485d | 398 | |
51eb01e7 MS |
399 | This is solved with doing the copy atomically, and allowing abort |
400 | while the page(s) belonging to the write buffer are faulted with | |
401 | get_user_pages(). The 'req->locked' flag indicates when the copy is | |
402 | taking place, and abort is delayed until this flag is unset. |