Merge pull request #4354 from ThomasWaldmann/fuse-default-options-master

security fix: configure FUSE with "default_permissions", fixes #3903
2019-02-11 17:46:30 +01:00 · 2019-02-11 17:46:30 +01:00 · 6de90d9460
parent fa9d3263de 672c2c99a7
commit 6de90d9460
2 changed files with 18 additions and 3 deletions
--- a/src/borg/archiver.py
+++ b/src/borg/archiver.py
@ -2570,14 +2570,18 @@ class Archiver:
        To allow a regular user to use fstab entries, add the ``user`` option:
        ``/path/to/repo /mnt/point fuse.borgfs defaults,noauto,user 0 0``

-        For mount options, see the fuse(8) manual page. Additional mount options
-        supported by borg:
+        For FUSE configuration and mount options, see the mount.fuse(8) manual page.
+
+        Additional mount options supported by borg:

        - versions: when used with a repository mount, this gives a merged, versioned
          view of the files in the archives. EXPERIMENTAL, layout may change in future.
        - allow_damaged_files: by default damaged files (where missing chunks were
          replaced with runs of zeros by borg check ``--repair``) are not readable and
          return EIO (I/O error). Set this option to read such files.
+        - ignore_permissions: for security reasons the "default_permissions" mount
+          option is internally enforced by borg. "ignore_permissions" can be given to
+          not enforce "default_permissions".

        The BORG_MOUNT_DATA_CACHE_ENTRIES environment variable is meant for advanced users
        to tweak the performance. It sets the number of cached data chunks; additional
--- a/src/borg/fuse.py
+++ b/src/borg/fuse.py
@ -477,9 +477,20 @@ class FuseOperations(llfuse.Operations, FuseBackend):
            else:
                return not_present

-        options = ['fsname=borgfs', 'ro']
+        # default_permissions enables permission checking by the kernel. Without
+        # this, any umask (or uid/gid) would not have an effect and this could
+        # cause security issues if used with allow_other mount option.
+        # When not using allow_other or allow_root, access is limited to the
+        # mounting user anyway.
+        options = ['fsname=borgfs', 'ro', 'default_permissions']
        if mount_options:
            options.extend(mount_options.split(','))
+        ignore_permissions = pop_option(options, 'ignore_permissions', True, False, bool)
+        if ignore_permissions:
+            # in case users have a use-case that requires NOT giving "default_permissions",
+            # this is enabled by the custom "ignore_permissions" mount option which just
+            # removes "default_permissions" again:
+            pop_option(options, 'default_permissions', True, False, bool)
        self.allow_damaged_files = pop_option(options, 'allow_damaged_files', True, False, bool)
        self.versions = pop_option(options, 'versions', True, False, bool)
        self.uid_forced = pop_option(options, 'uid', None, None, int)