A source like [-oProxyCommand=CMD]:/path passes the bracket-parsing
check in find_base_path() and ends up as -oProxyCommand=CMD in the
ssh argv. When sftp_server is a path, ssh gets a destination argument
and executes the injected ProxyCommand before connecting.
Reject hostnames starting with - after bracket stripping, and add --
before the hostname in the ssh command line so positional args can't
be misread as options.
A malicious SFTP server can return symlink targets that the local
kernel VFS resolves outside the mount root, enabling local file reads
or writes through ordinary operations like cp following a symlink.
Add a contain_symlinks option (default on) that rejects absolute
symlink targets and any target containing a `..` component, returning
EPERM. Users who need legacy pass-through for trusted servers can opt
out with -o no_contain_symlinks.
The check is purely lexical and deliberately strict: in an adversarial
filesystem the server controls intermediate path components, so any
non-`..` component could be a symlink anywhere, making lexical depth
tracking unreliable. Rejecting absolute and any `..` is the simplest
rule that is provably complete against the threat model.
transform_symlinks composes poorly with containment because transformed
results often contain `..`; a warning is emitted when both are enabled.
Tests cover default-on containment (readlink + open/stat traversal),
opt-out behavior, transform_symlinks interaction (both arms), and
option precedence.
sshfs_release looked up the conntab entry by path, but sshfs_rename
moves that entry to the new path. Closing the original handle after a
rename can miss the entry and dereference NULL.
Store the conntab_entry pointer on sshfs_file and use it for release
and open-failure cleanup. Add a regression test for open -> rename -> close.
The -o max_conns=N option causes multiple SSH processes and response processing threads to
be created. This means that e.g. reading a large file no longer blocks all access to the
filesystem.
The connection is chosen by checking the per-connection statistics:
1. Choose connection with least outstanding requests; if it's a tie,
2. choose connection with least directory handles; if it's a tie,
3. choose connection with least file handles; if it's a tie,
4. choose connection which has already been established.
The implementation assumes that the max_conns values will be small; it
uses linear search.
Example benchmark:
With single connection:
$ sshfs -o max_conns=1,workaround=nobuflimit ebox: mnt
$ cat mnt/tmp/bigfile > /dev/null &
$ time find mnt > /dev/null
real 1m50.432s
user 0m0.133s
sys 0m0.467s
With multiple connections:
$ ~/in-progress/sshfs/build/sshfs -o max_conns=5,workaround=nobuflimit ebox: mnt
$ cat mnt/tmp/bigfile > /dev/null &
$ time find mnt > /dev/null
real 1m15.338s
user 0m0.142s
sys 0m0.491s
This feature was implemented to large extend by Timo Savola <timo.savola@iki.fi>. Thanks
to CEA.fr for sponsoring the remaining work to complete this feature and integrate it into
SSHFS!
As of kernel 4.14, the FUSE module's + writeback implementation is not
compatible with network filesystems, and there are no imminent plans
to change that.
For more details, see
https://marc.info/?l=fuse-devel&m=150592103107662&w=2 or
As a consequence, the -o unreliable_append option has become obsolete
as well.
Fixes: #93Fixes: #88Fixes: #81
This commit enables the use of readdir() instead of getdir(). It also
completely disables the cache and the nullpath_ok feature. This will
be fixed in the next commits.