Re: CAP_SYS_ADMIN restriction for passthrough fds (fuse)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 5/2/25 10:16, Allison Karlitskaya wrote:
> hi,
> 
> Please excuse me if these are dumb questions.  I'm not great at this stuff. :)
> 
> In fuse_backing_open() there's a check with an interesting comment:
> 
>     /* TODO: relax CAP_SYS_ADMIN once backing files are visible to lsof */
>     res = -EPERM;
>     if (!fc->passthrough || !capable(CAP_SYS_ADMIN))
>         goto out;
> 
> I've done some research into this but I wasn't able to find any
> original discussion about what led to this, or about current plans to
> "relax" this restriction -- only speculation about it being a
> potential mechanism to "hide" open files.
> 
> It would be nice to have an official story about this, on the record.
> What's the concrete problem here, and what would it take to solve it?
> Are there plans?  Is help required?  Would it be possible to relax the
> check to having CAP_SYS_ADMIN in the userns which owns the mount (ie:
> ns_capable(...))?  What would it take to do that?  It would be
> wonderful to be able to use this inside of containers.
> 
> The most obvious guess about direction (based on the comment) is that
> we need to do something to make sure that fds that are registered with
> backing IDs remain visible in the output of `lsof` even after the
> original fd is closed?
> 
> Thanks in advance for any information you can give.  Even if the
> answer is "no, it's impossible" it would be great to have that on
> record.

There is a private discussion, Chen and Amir are discussing exactly this topic.

<quote>

>>Chen
>>    Additionally, according to previous discussions, backing files are >somewhat
>>    similar to the fixed files in `io_uring`.
>>    If it is considered acceptable for the fixed files in `io_uring` to
>>    have their status visible in `fdinfo`,
>>    then exposing backing file information via `/sys/fs/fuse/connections`
>>    also seems like a feasible approach.

>Amir
> Yes I agree.
> That sounds like a good approach to expose the backing files to userspace and allow admin to force close then by aborting the connection.

> In fact if you want you can start with that.
> I don't think it will be controversial.
> I think this will be useful step towards relaxing cap sys admin.

</quote>


I think it would be good to document all these details somewhere,
really hard to follow all of it.


Thanks,
Bernd









> 
> Cheers
> 
> lis
> 
>
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux