Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Szabolcs Szakacsits <szaka-IyvsvuGDJ8VAfugRpC6u6w <at> public.gmane.org>
Subject: Stable NTFS-3G 1.2216 released
Newsgroups: gmane.comp.file-systems.ntfs-3g.devel
Date: Sunday 17th February 2008 23:51:54 UTC (over 9 years ago)
Welcome,

This release has brought important function enhancements, security and 
other fixes.

   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

Up until now it was possible that file or directory removal, rename and 
move may have been denied in very rare scenarios. This is the past, as all 
index operations are supported from now. This is a historical step since 
it enables us to do much more sophisticated things reliably. Not only 
unlimited directory operations but also security id, security hashes, 
quota, object id indexing and we could even use essentially the same 
indexing code for all sort of in-memory caching to speed up things when and

where it's needed. One of our successful tests was the creation and removal

of 17 million files in a single directory.

   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

Support has been also added for a new, 'remove_hiberfile' mount option 
which was often asked as a need to read/write mount hibernated volumes for 
recovery and troubleshooting purposes. Previously this was unconditionally 
denied.

   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

We had an issue in our new build system where the mount.ntfs-3g symlink 
wasn't created in /sbin where mount(8) always needs it. This made mount(8) 
to fail. Thankfully the problem affected only a few installations where 
ntfs-3g is not installed on the root file system. This is needed, similarly

as for in-kernel file systems, to avoid automount and shutdown failures 
which could lead even to data loss.

   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

Many reasons were listed last time why we needed integrated FUSE support. 
In fact, there are even more. Another important one is security.

While FUSE makes file system development significantly easier, its 
internals, integrations with the rest of the system, and security audit 
is far from trivial.

Here is one of the simpler mount cases from the many combinations which 
describes the components involved.

 mount(8) -> mount.ntfs-3g -> ntfs-3g -> fuse library -> fusermount ->
 -> mount(8) -> mount(2) -> mount(8) -> fusermount -> fuse library ->
 -> ntfs-3g -> mount(8)

Some factors on which safe, successful mount and unmount depends:

  - mount invocation: mount(8), uhelper, ntfs-3g, mount.fuse, fusermount,
etc
  - mount initiator:  root, user, normal fstab, fstab with user[s] options
  - volume type: block device, image file
  - fuse kernel module type support: fuse, fuse+fuseblk
  - fuse kernel module origin: kernel, FUSE package
  - fuse fs type: fuse, fuseblk
  - fuse fs permission: normal, setuid
  - kernel supports unprivileged mount or not
  - unmount type: umount(8), fusermount, signal from console user or
otherwise
  - FUSE API version
  - FUSE library version
  - FUSE kernel API version
  - kernel version
  - libc: glibc, uClibc, klibc, etc
  - there are really more ... 

It's also a great source of confusion and contributes to the increased 
complexity significantly that FUSE innovated in two major areas:

 1. file systems can be implemented in user space

 2. file systems can be run unprivileged

It's the first one which made the breakthrough in open source NTFS 
development. 

The second one is a bonus what no in-kernel file system can provide. 

Unfortunately at the same time, the latter is causing all kind of problems 
because unprivileged mount related issues can be fairly subtle, especially 
since they would require a consistent design and smooth interactions from 
several projects. Whihch has never existed (but thankfully it's being 
worked on by Miklos Szeredi).

The first negative result was a security advisory in last September

https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00368.html
http://secunia.com/advisories/26938

We believe that the advisory

  - incorrectly claims that users could directly gain writes access to 
    any devices.

  - confirms that setuid-root ntfs-3g worked as it was designed because 
    its meaning was indeed that any users who have the rights to execute 
    ntfs-3g can mount any NTFS volumes (otherwise the 'user' and 'user'
    fstab options wouldn't work, for instance). 

Later we were agreed but meanwhile Ludwig Nussel from SUSE has found a real

local root exploit if ntfs-3g is setuid-root. The exploit is trivial and 
fundamentally it's the result of the complicated mount process.

We were asked not to disclose this problem immediately in October, 2007. 
We agreed in the hope of a fast resolution and made some suggestions how 
it could be solved. The issue turned out to be a devil's circle where 
everybody could point to somebody else.

Thankfully by the usage of the integrated fuse-lite library we could break 
the circle and the embarrassing silence and from now on we can take full
responsibility (and blame) about security problems.

So this release has fixed the local root exploit when ntfs-3g is 
setuid-root and all other security problems we have found in fuse-lite 
and ntfs-3g.

The conditions for unprivileged mount became much more strict to avoid 
more confusions in the future:

 - ntfs-3g denies execution when it's setuid/setgid using external FUSE

 - block devices can be mounted by an unprivileged users only when 

	- ntfs-3g is setuid-root (and the user has execution right)
	- using the integrated and secured fuse-lite library (default)
	- the user has access right to the volume 
	- the user has access right to the mont point 

These are the minimum requirements. There are more.

The above also means that the fstab 'user' and 'users' options won't work
in many cases again. It's discussed here:

	http://ntfs-3g.org/support.html#useroption2

   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

Jean-Pierre Andre has announced the release of ntfs-3g with ownership and 
access rights support. Main features

  - full support of Posix access control
  - interoperability with Windows access control
  - compatibility with standard ntfs-3g operation
  - and even a significant performance improvement over standard ntfs-3g  

Detailed information is available on

	http://pagesperso-orange.fr/b.andre/security.html

   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

Thanks to our Gentoo users and Miklos Szeredi, it was found out recently 
that the FUSE kernel module used from the FUSE software packages (Gentoo 
default) with the 2.6.24 Linux kernels can lockup the system.

Solution: use the FUSE kernel module included in the 2.6.24 Linux kernel
(drawback: NTFS can't be NFS exported).

   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The stable NTFS-3G driver release can be downloaded from

	http://ntfs-3g.org/

The changelog is at

	http://ntfs-3g.org/releases.html

People who made the world a better place: Jean-Pierre Andre, Erik Larsson, 
Alon Bar-Lev, Miklos Szeredi, Dominique L Bouix, Amit Singh, Csaba Henk, 
Alejandro Pulver, Ludwig Nussel, Bernhard Kaindl, Lubomir Kundrak, Brian 
Marcel, Peritus, Regis Duchesne, Agostino Russo, jd1008, Klaus Knopper, 
Andreas Hermann Braml, Martin Reed, Ne01eX, Antony Georg Arendt, Joseph 
Davida, ...

Enjoy,
		Szaka

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
 
CD: 3ms