Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
FUSE
(Filesystem in Userspace)
      on OpenSolaris
        (2009/119)
PSARC Inception Review
March 25, 2009
William Krier...
FUSE on OpenSolaris
    (2009/119)


●   What is FUSE
●   How FUSE Works
●   High Level Design Diagram
●   FUSE File Syste...
What Is FUSE
• FUSE is a framework which makes it possible to
  implement a filesystem in a userspace
  program.
• Feature...
How FUSE Works
• FUSE framework consists of 2 components
  > FUSE user space library (libfuse.so)
     – provides framewor...
High Level Design Diagram
                                FUSE Filesystem

            ls -l /mnt/fuse            libfuse
...
How FUSE Works (cont.)
• FUSE kernel module registers with VFS.
• FUSE user space file system will link with FUSE
  librar...
FUSE File System API
• FUSE file systems use the FUSE API
  specification to implement necessary file
  system operations
...
FUSE Protocol Specification
• Kernel module communicates with FUSE library
  via the fuse character device
  > During moun...
FUSE Security Concerns
• Authorization for non-privileged users to
  perform file system mounts
• Privilege level escalati...
FUSE Mounts
• FUSE supports non-privileged mounts
• Accomplished by adding profile to
  /etc/security/prof_attr
  >   FUSE...
Privilege Escalation
DoS Possibilities with Non-privileged Mounts
• FUSE file systems are only accessible to the
  user wh...
Block Device Access
• For FUSE file systems that are backed by block
  device (ie ntfs-3g)
• Non-root users must have read...
File System Access Control
• By default, FUSE leaves all access control to the
  file system.
• Mount option to enable FUS...
FUSE on OpenSolaris
(2009/119)

William Krier
William.Krier@sun.com



                        14
Upcoming SlideShare
Loading in …5
×

FUSE (Filesystem in Userspace) on OpenSolaris

3,824 views

Published on

Published in: Technology, News & Politics
  • Be the first to comment

FUSE (Filesystem in Userspace) on OpenSolaris

  1. 1. FUSE (Filesystem in Userspace) on OpenSolaris (2009/119) PSARC Inception Review March 25, 2009 William Krier 1
  2. 2. FUSE on OpenSolaris (2009/119) ● What is FUSE ● How FUSE Works ● High Level Design Diagram ● FUSE File System API ● FUSE Protocol Specification ● Security Concerns ● FUSE Mounts ● Privilege Escalation ● Block Device Access ● File System Access Control 2
  3. 3. What Is FUSE • FUSE is a framework which makes it possible to implement a filesystem in a userspace program. • Features include: > simple yet comprehensive API > secure mounting by non-root users > multi-threaded operation • Originally developed for Linux and currently runs on 2.4 and 2.6 Linux kernels • Maintained at fuse.sourceforge.net • Ported to FreeBSD (fuse4bsd) and Mac OS X • FUSE library remains the same across platforms 3
  4. 4. How FUSE Works • FUSE framework consists of 2 components > FUSE user space library (libfuse.so) – provides framework and exports FUSE API > FUSE kernel module – virtual file system (fusefs) – character device (/dev/fuse) • FUSE kernel module redirects vfs calls to the FUSE library via the FUSE character device • Example FUSE file systems > ntfs-3g > sshfs > davfs 4
  5. 5. High Level Design Diagram FUSE Filesystem ls -l /mnt/fuse libfuse libc libc userspace kernel fusefs fusedev fuse module VFS zfs nfsv2 5
  6. 6. How FUSE Works (cont.) • FUSE kernel module registers with VFS. • FUSE user space file system will link with FUSE library and provides: > Register file operation methods w/ library – struct fuse_operations – getattr, mknod, create, read, write, readdir, readlink, getdir, mknod, chmod, etc. > Mount point and options • FUSE library calls the mount() system call > filesystem type is “fuse” > filehandle of /dev/fuse passed as option • Filesystem calls are passed to FUSE library which invokes associated fuse operation in FUSE filesystem. 6
  7. 7. FUSE File System API • FUSE file systems use the FUSE API specification to implement necessary file system operations > Current version of FUSE API is 2.7 > Interface is classified as Volatile > The API is documented in FUSE_API_Specification.pdf 7
  8. 8. FUSE Protocol Specification • Kernel module communicates with FUSE library via the fuse character device > During mount, the library opens /dev/fuse and passes file descriptor to kernel. > The minor device number is associated with mount point via vfsp->vfs_dev • Messages are passed via the FUSE device's read/write methods. • FUSE messages are defined by the FUSE Protocol specification (version 7.8) > Protocol is classified as Project Private > Protocol is documented in FUSE_Protocol_Specification.pdf 8
  9. 9. FUSE Security Concerns • Authorization for non-privileged users to perform file system mounts • Privilege level escalation for non-privileged mounts • Access to block devices for non-privileged mounts • File system-specific access control 9
  10. 10. FUSE Mounts • FUSE supports non-privileged mounts • Accomplished by adding profile to /etc/security/prof_attr > FUSE File System Management:::Mount and unmount FUSE filesystems:FUSE.html • Consist of a single execution authorization in /etc/security/exec_attr > granting sys_mount privilege to FUSE mount/unmount programs > FUSE File System Management:solaris:cmd:::/usr/bin/fusermount.bin:privs=sys_mount • Profile must be manually added to users by administrator after installation. 10
  11. 11. Privilege Escalation DoS Possibilities with Non-privileged Mounts • FUSE file systems are only accessible to the user who mounted file system. > Prevents FUSE file system daemon from having ptrace-like capabilities and > Prevents denial of service for the requesting process (stalling system calls) • Mount option to allow access to other non-root users • Mount option to allow access to root 11
  12. 12. Block Device Access • For FUSE file systems that are backed by block device (ie ntfs-3g) • Non-root users must have read/write access to block device for non-privilege mount • Create “fuse” group and add write-allow ACE for specific block device. • Must be done manually by administrator. 12
  13. 13. File System Access Control • By default, FUSE leaves all access control to the file system. • Mount option to enable FUSE to enforce access control. > only allows UNIX-style permission checking, bypassing more sophisticated access controls that may be present in the file system. > does not have direct access to file permissions. (only see what file system presents) • Disposition of file ownership varies by file system. > ntfs-3g presents owner as user who mounted fs. > sshfs presents owner as reported by remote host. 13
  14. 14. FUSE on OpenSolaris (2009/119) William Krier William.Krier@sun.com 14

×