Comment 15 for bug 357024

Jamie Strandboge (jdstrand) wrote :

I played with this and using fuse to have apport remove arbitrary files in this manner does not seem possible on Ubuntu. Specifically:

By default, other users, including root, cannot access a fuse mounted filesystem mounted by a user. One can give access to others by specifying '-o allow_other' (or allow_root) as a fuse option, but only if /etc/fuse.conf has 'user_allow_other'. On Ubuntu, this option is commented out. Furthermore, the regular DAC permissions appear to be in effect as the mounting user, so removing /var/crash/etc is not possible when a non-root user mounts /var/crash/etc to /etc.

$ sudo apt-get install libfuse-dev
$ apt-get source fuse
$ cp ./fuse-*/example/fusexmp.c
$ cd /tmp
$ gcc -Wall `pkg-config fuse --cflags --libs` fusexmp.c -o fusexmp
$ mkdir /var/crash/foo
$ ./fusexmp -o allow_root -o nonempty /var/crash/foo
$ ls -l /var/crash/foo/etc/shadow
-rw-r----- 1 root shadow 1310 2009-04-06 07:46 /var/crash/foo/etc/shadow
$ cat /var/crash/foo/etc/shadow
cat: /var/crash/foo/etc/shadow: Permission denied
$ sudo cat /var/crash/foo/etc/shadow
cat: /var/crash/foo/etc/shadow: Permission denied
$ sudo su -
# cat /var/crash/foo/etc/shadow
cat: /var/crash/foo/etc/shadow: Permission denied

Fuse behavior will need to be reviewed on earlier releases of course, but please let me know if there this analysis is incorrect (I'm new to fuse).