27 Commits

Author SHA1 Message Date
Bernd Schubert 3fedbac9b6 mount.fuse: clear error and test skip when binary unreachable after privilege drop
With drop_privileges, mount.fuse3 execs the file system binary only
after dropping all capabilities (CAP_DAC_OVERRIDE included) while
keeping uid 0. The kernel then applies plain DAC checks to the exec, so
a binary under a directory the capability-less process cannot traverse
(e.g. a user-owned mode-0700 home) fails with EACCES and /bin/sh prints
a bare 'Permission denied', surfacing in the tests as 'file system
process terminated prematurely'.

Resolving and opening the binary before the drop was rejected: it would
perform a privileged path resolution and open() on invoker-influenced
input (confused-deputy / privilege-escalation risk). The drop-first,
resolve-after order is preserved.

Instead, pre-flight the upcoming PATH lookup after the drop and fail
with a diagnostic that names the binary and points at mount.fuse3(8).
The check runs with the final credentials, so it is deny-only. The test
detects the same situation up front (uid/gid-aware traversal check) and
skips with a precise reason; root-owned CI checkouts keep running.

Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-06-12 12:08:57 +02:00
Bernd Schubert 65afaab71a Fix unbounded strcpy/strcat in mount.fuse.c
Replace strcpy() with strncpy() and strcat() with strncat().
Ensure null-termination after bounded operations.

Fixes: GitHub CodeQL Alert #104, #105
CWE-120, CWE-787, CWE-805

Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-06-09 16:47:20 +02:00
Darrick J. Wong ba6e172cac mount.fuse: constify arguments to try_service_main
This function no longer alters its arguments.

Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
2026-05-21 12:11:06 -07:00
Darrick J. Wong cb07e6af9d fuse: use fuse_args in try_service_main instead of opencoding it
Don't open-code the argument array, just use the existing helpers.

Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
2026-05-20 19:57:57 -07:00
Bernd Schubert b9c10de892 Fix deref-before-check in mount.fuse.c
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-05-08 19:15:22 +02:00
Darrick J. Wong 23e8253c4d util/mount.fuse.c: loop in waitpid
waitpid can return EINTR if interrupted by a signal; don't abort when
this happens.

Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
2026-05-08 19:15:10 +02:00
Darrick J. Wong f127c2de34 mount.fuse3: integrate systemd service startup
Teach mount.fuse3 how to start fuse via systemd service, if present.

Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-05-04 17:24:12 +02:00
Bernd Schubert f8abf5d1ba Fix a sign bug in prepare_fuse_fd()
fcntl() returns -1 on error.

Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-04-29 17:50:45 +02:00
Bernd Schubert 2cf9a33589 util/mount.fuse: fix const cppcheck warnings
- Add const to 'opt' variable pointer
- Fix printf format specifier for fuse_fd (int)

Fixes cppcheck warnings:
- cppcheck-constVariablePointer
- cppcheck-invalidPrintfArgType_uint

Signed-off-by: Bernd Schubert <bernd@bsbernd.com>
2026-04-07 10:08:49 +02:00
izxl007 fc1c8da0cf license: s/COPYING/GPL2.txt, s/COPYING.LIB/LGPL2.txt
Signed-off-by: izxl007 <zeng.zheng@zte.com.cn>
2025-06-27 09:47:00 +02:00
wdlkmpx 0433b40d17 util/mount.fuse.c: compile with linux headers < 3.5 (#798)
PR_SET_NO_NEW_PRIVS was added in linux 3.5 according to prtcl(2) man page

https://elixir.bootlin.com/linux/v4.3/source/include/uapi/linux/prctl.h#L174
2023-06-08 11:23:55 +01:00
Bernd Schubert db35a37def Install a the configure_file (config.h) and use in headers
This addresses: https://github.com/libfuse/libfuse/issues/724

HAVE_LIBC_VERSIONED_SYMBOLS configures the library if to use
versioned symbols and is set at meson configuration time.
External filesystems (the main target, actually)
include fuse headers and the preprocessor
then acts on HAVE_LIBC_VERSIONED_SYMBOLS. Problem was now that
'config.h' was not distributed with libfuse and so
HAVE_LIBC_VERSIONED_SYMBOLS was never defined with external
tools and the preprocessor did the wrong decision.

This commit also increases the the minimal meson version,
as this depends on meson feature only available in 0.50

<quote 'meson' >
WARNING: Project specifies a minimum meson_
version '>= 0.42' but uses features which were added
 in newer versions:
 * 0.50.0: {'install arg in configure_file'}
</quote>

Additionally the config file has been renamed to "fuse_config.h"
to avoid clashes - 'config.h' is not very specific.
2023-01-28 09:35:34 +00:00
lixiaokeng aaf767a6cc Fix: fd and memory leak in mount.fuse.c (#614)
The command isn't freed and the fuse_fd isn't
closed if execl failed. Fix it.

Signed-off-by: Lixiaokeng <lixiaokeng@huawei.com>
2021-09-06 13:37:45 +01:00
Zhiqiang Liu 5670dde86c mount.fuse.c: fix potential memory leak in main func
In mount.fuse.c, there are several memory leak problems in
main func. For example, setuid_name is allocated by calling
xstrdup func, however it is not freed before calling execl func.

Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
Signed-off-by: Haotian Li <lihaotian9@huawei.com>
2020-11-06 19:26:03 +00:00
Zhiqiang Liu 8b318a7ed6 mount.fuse.c: fix potential accessing NULL pointer
In mount.fuse.c, pwd is set by calling getpwnam func.
If the matching entry is not found or an error occurs in
getpwnam func, pwd will be NULL. So we need to check
whether pwd is NULL before accessing it.

Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
Signed-off-by: Haotian Li <lihaotian9@huawei.com>
2020-11-06 19:26:03 +00:00
Dr. David Alan Gilbert 252e978c54 State GPL version in comment (#485)
IN a bunch of comments we say 'under the terms of the GNU GPL', make
it clear this is GPLv2 (as LICENSE says).

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2020-03-13 16:46:44 +00:00
DrDaveD 625ed81b82 add defines for missing SECBITs on older kernels (#409) 2019-05-05 14:15:13 -04:00
Nikolaus Rath 1c70c870fe Correctly include config.h ("" vs <>)
This isn't a system header.

Fixes: #349
2019-03-09 10:31:18 +00:00
Mattias Nissler da7c9b228a Add unprivileged option in mount.fuse3
The unprivileged option allows to run the FUSE file system process
without privileges by dropping capabilities and preventing them from
being re-acquired via setuid / fscaps etc. To accomplish this,
mount.fuse sets up the `/dev/fuse` file descriptor and mount itself
and passes the file descriptor via the `/dev/fd/%u` mountpoint syntax
to the FUSE file system.
2018-10-09 20:36:22 +01:00
Nikolaus Rath 44deb68ce1 add_arg(): check for overflow
Fixes: #222.
2018-05-11 15:01:04 +01:00
Josh Soref a83cd72f64 Handle mount ... -o nofail (#221)
Accept (and ignore) nofail mount option
2017-12-01 19:18:49 +00:00
Miklos Szeredi e6e7a249c5 libfuse: remove "-D_FILE_OFFSET_BITS=64" from fuse.pc
add AC_SYS_LARGEFILE to your configure.ac instead.
2013-07-24 17:09:26 +02:00
Laszlo Papp a7a026043b Do not pass NULL to xstrdup 2011-03-30 19:34:58 +02:00
Miklos Szeredi cb71b4372c Fix handling of (no)suid and (no)dev options... 2008-07-10 19:30:43 +00:00
Miklos Szeredi cdb8b79bad change indenting 2007-12-12 14:25:40 +00:00
Miklos Szeredi fdd1b9b4ec Add fs subtype support to mount.fuse 2007-06-21 13:48:07 +00:00
Miklos Szeredi 0ac820ee6a Replace utils/mount.fuse "sh" script with a "C" program 2007-04-18 16:04:27 +00:00