Mailinglist Archive: opensuse-factory (383 mails)

< Previous Next >
[opensuse-factory] fusesmb stopped working (was: New Tumbleweed snapshot 20180808 released!)
  • From: Achim Gratz <Stromeko@xxxxxxxx>
  • Date: Sat, 11 Aug 2018 09:49:29 +0200
  • Message-id: <87ftzlcph2.fsf@Rainer.invalid>
Dominique Leuenberger writes:
==== fuse ====
Version update (2.9.7 -> 2.9.8)
Subpackages: libfuse2

- fuse 2.9.8
* SECURITY UPDATE: In previous versions of libfuse it was possible
to for unprivileged users to specify the allow_other option even
when this was forbidden in /etc/fuse.conf. The vulnerability is
present only on systems where SELinux is active (including in
permissive mode).
* libfuse no longer segfaults when fuse_interrupted() is called
outside the event loop.
* The fusermount binary has been hardened in several ways to
reduce potential attack surface. Most importantly, mountpoints
and mount options must now match a hard-coded whitelist. It is
expected that this whitelist covers all regular use-cases.
- cleanup with spec-cleaner
- update wiki urls to new location

After this update, fusesmb no longer works (fuseiso and unionfs still
do). The mount gets created without content and the fusesmb.cache
file stays empty. I can see no login attempts on my NAS. Journal and
log files show no errors that I can find. Tracing the fusermount
command reveals:

mount("fusesmb", "/home/gratz/smb", "fuse.fusesmb", MS_NOSUID|MS_NODEV,
"max_read=32768,fd=3,rootmode=400"...) = -1 EPERM (Operation not permitted)

So I guess that this "hardening" mentioned above (but nowhere
documented) is responsible. Looking at the code that introduced the
whitelisting, it probably chokes on the rootmode option that doesn't
seem to be whitelisted.

[Bug#1104572]


Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Wavetables for the Waldorf Blofeld:
http://Synth.Stromeko.net/Downloads.html#BlofeldUserWavetables

--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >