mirror of
https://github.com/libfuse/libfuse.git
synced 2026-07-07 14:47:41 +08:00
3fedbac9b6
With drop_privileges, mount.fuse3 execs the file system binary only after dropping all capabilities (CAP_DAC_OVERRIDE included) while keeping uid 0. The kernel then applies plain DAC checks to the exec, so a binary under a directory the capability-less process cannot traverse (e.g. a user-owned mode-0700 home) fails with EACCES and /bin/sh prints a bare 'Permission denied', surfacing in the tests as 'file system process terminated prematurely'. Resolving and opening the binary before the drop was rejected: it would perform a privileged path resolution and open() on invoker-influenced input (confused-deputy / privilege-escalation risk). The drop-first, resolve-after order is preserved. Instead, pre-flight the upcoming PATH lookup after the drop and fail with a diagnostic that names the binary and points at mount.fuse3(8). The check runs with the final credentials, so it is deny-only. The test detects the same situation up front (uid/gid-aware traversal check) and skips with a precise reason; root-owned CI checkouts keep running. Signed-off-by: Bernd Schubert <bernd@bsbernd.com>