Prev: mount(8) followed by umount(8) fails
Next: how to automatically run a script as long as an input file is available
From: Francis Moreau on 11 Mar 2010 05:32
Hello,

I didn't think that could happen but yes, the root user can't ls(1) a
directory whereas a simple user can.

$ ls -ld /home/francis/.gvfs/
dr-x------ 2 francis francis 0 2010-03-10 16:59 /home/francis/.gvfs
$ su -
$ ls /home/francis/.gvfs/
ls: cannot access /home/francis/.gvfs/: Permission denied

There's something mounted on that directory:

$ mount | grep gvfs
gvfs-fuse-daemon on /home/francis/.gvfs type fuse.gvfs-fuse-daemon
(rw,nosuid,nodev,user=francis)

But is this the expected behaviour ?

thanks
From: Ivan Shmakov on 11 Mar 2010 07:07
>>>>> Francis Moreau <francis.moro(a)gmail.com> writes:

FM> Hello, I didn't think that could happen but yes, the root user
FM> can't ls(1) a directory whereas a simple user can.

> $ ls -ld /home/francis/.gvfs/
> dr-x------ 2 francis francis 0 2010-03-10 16:59 /home/francis/.gvfs
> $ su -
> $ ls /home/francis/.gvfs/
> ls: cannot access /home/francis/.gvfs/: Permission denied

FM> There's something mounted on that directory:

> $ mount | grep gvfs
> gvfs-fuse-daemon on /home/francis/.gvfs type fuse.gvfs-fuse-daemon
> (rw,nosuid,nodev,user=francis)

FM> But is this the expected behaviour ?

While I'm not that familiar with Linux' Filesystems in User
SpacE (FUSE), the way they work — by “redirecting” the VFS layer
calls to a userspace program — should leave enough freedom for
the developers of the latter to deny any process access to
anything on such a filesystem. Including the processes running
with zero UID.

--
FSF associate member #7257
From: Jon LaBadie on 11 Mar 2010 08:51
Francis Moreau wrote:
> Hello,
>
> I didn't think that could happen but yes, the root user can't ls(1) a
> directory whereas a simple user can.
>
> $ ls -ld /home/francis/.gvfs/
> dr-x------ 2 francis francis 0 2010-03-10 16:59 /home/francis/.gvfs
> $ su -
> $ ls /home/francis/.gvfs/
> ls: cannot access /home/francis/.gvfs/: Permission denied
>
> There's something mounted on that directory:
>
> $ mount | grep gvfs
> gvfs-fuse-daemon on /home/francis/.gvfs type fuse.gvfs-fuse-daemon
> (rw,nosuid,nodev,user=francis)
>
> But is this the expected behaviour ?
>

Yes, particularly for remotely mounted file systems (NFS etc.).

Consider if you had root access on your laptop and mounted a
share from some other computer. Should you still be root on
that other remote computer? I hope not. Thus, across remote
mounts the default is the remote root is just an ordinary
"nobody" user. And your options show that to be the case,
note the "nosuid" option is in effect (no set user id).
From: Jonathan de Boyne Pollard on 11 Mar 2010 06:56
>
>
> I didn't think that could happen but yes, the root user can't ls(1) a
> directory whereas a simple user can.
>
People who have used NFS have known that this can happen for the past
two decades and more. (-:

Go and read the kernel documentation for the FUSE filesystem, paying
particular attention to its discussion of non-privileged mounts.
From: Francis Moreau on 11 Mar 2010 11:58
On Mar 11, 2:51 pm, Jon LaBadie <jlaba...(a)aXcXm.org> wrote:
> Francis Moreau wrote:
> > Hello,
>
> > I didn't think that could happen but yes, the root user can't ls(1) a
> > directory whereas a simple user can.
>
> > $ ls -ld /home/francis/.gvfs/
> > dr-x------ 2 francis francis 0 2010-03-10 16:59 /home/francis/.gvfs
> > $ su -
> > $ ls /home/francis/.gvfs/
> > ls: cannot access /home/francis/.gvfs/: Permission denied
>
> > There's something mounted on that directory:
>
> > $ mount | grep gvfs
> > gvfs-fuse-daemon on /home/francis/.gvfs type fuse.gvfs-fuse-daemon
> > (rw,nosuid,nodev,user=francis)
>
> > But is this the expected behaviour ?
>
> Yes, particularly for remotely mounted file systems (NFS etc.).
>
> Consider if you had root access on your laptop and mounted a
> share from some other computer.  Should you still be root on
> that other remote computer?  I hope not.  Thus, across remote
> mounts the default is the remote root is just an ordinary
> "nobody" user.  And your options show that to be the case,
> note the "nosuid" option is in effect (no set user id).

But I'm not trying to access the content of the directory (hence not
trying to access to the remote data), I'm just try to stat the
directory .gvfs on which something is mounted (that's why I pass '-ld'
switches to ls(1))

 |  Next  |  Last
Pages: 1 2 3 4 5
Prev: mount(8) followed by umount(8) fails
Next: how to automatically run a script as long as an input file is available