Ticket #45 (new defect)
Opened 15 months ago
a way to bypass file read permissions using fuse client:
| Reported by: | hubcap | Owned by: | parl |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Kernel module | Version: | latest |
| Keywords: | fuse kernel module permissions bypass | Cc: |
Description
This bug was reported by Andrew Savchenko, bircoph@…...
Hello,
On Mon, 12 Mar 2012 19:56:14 -0400 Kevin Stone wrote:
The invalid argument on chmod in fuse is fixed here:
http://www.orangefs.org/trac/orangefs/changeset/9212
Thanks, it works. Though I found a way to bypass file read
permissions using fuse client:
1) Mount pvfs2 using pvfs2-client.
2) do as root:
# touch secret_file
# chmod 0600 secret_file
# echo secret_data > secret_file
3) do as user:
$ pvfs2fuse -o fs_spec=" tcp://host:3334/pvfs2-fs" mountpoint
$ ll secret_file
-rw------- 0 root root 12 Mar 13 19:58 secret_file
$ cat secret_file
secret_data
Parent directory is owned by root.
This works only for data read, you can't delete or modify file.
pvfs2-client works normally.
This doesn't work for directories, files only.
With default_permissions fuse option this also works as expected.
I know, security is not a primary goal for PFVS2 and most of
distributed file systems, but nevertheless it will be good to fix
this as well.
Best regards,
Andrew Savchenko
