Dominique Leuenberger writes:
==== fuse ==== Version update (2.9.7 -> 2.9.8) Subpackages: libfuse2
- fuse 2.9.8 * SECURITY UPDATE: In previous versions of libfuse it was possible to for unprivileged users to specify the allow_other option even when this was forbidden in /etc/fuse.conf. The vulnerability is present only on systems where SELinux is active (including in permissive mode). * libfuse no longer segfaults when fuse_interrupted() is called outside the event loop. * The fusermount binary has been hardened in several ways to reduce potential attack surface. Most importantly, mountpoints and mount options must now match a hard-coded whitelist. It is expected that this whitelist covers all regular use-cases. - cleanup with spec-cleaner - update wiki urls to new location
After this update, fusesmb no longer works (fuseiso and unionfs still do). The mount gets created without content and the fusesmb.cache file stays empty. I can see no login attempts on my NAS. Journal and log files show no errors that I can find. Tracing the fusermount command reveals: mount("fusesmb", "/home/gratz/smb", "fuse.fusesmb", MS_NOSUID|MS_NODEV, "max_read=32768,fd=3,rootmode=400"...) = -1 EPERM (Operation not permitted) So I guess that this "hardening" mentioned above (but nowhere documented) is responsible. Looking at the code that introduced the whitelisting, it probably chokes on the rootmode option that doesn't seem to be whitelisted. [Bug#1104572] Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Wavetables for the Waldorf Blofeld: http://Synth.Stromeko.net/Downloads.html#BlofeldUserWavetables -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org