When built with USE=suid and non-root user tries to mount NTFS partition it prints error: Mount is denied because setuid and setgid root ntfs-3g is insecure with the external FUSE library. Either remove the setuid/setgid bit from the binary or rebuild NTFS-3G with integrated FUSE support and make it setuid root. Please see more information at http://tuxera.com/community/ntfs-3g-faq/#unprivileged To fix this ebuild should be modified to use "--with-fuse=internal" when USE-flag suid is set, instead of "--with-fuse=external" used by default now. Reproducible: Always
Maybe we should just use the internal (bundled) fuse library unconditionally.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab0f17bb3637aec78e388c3704bee2a77c8b1eb1 commit ab0f17bb3637aec78e388c3704bee2a77c8b1eb1 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2021-11-05 23:16:22 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2021-11-05 23:16:22 +0000 sys-fs/ntfs3g: use internal FUSE library This is required for suid support. Closes: https://bugs.gentoo.org/822024 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-fs/ntfs3g/{ntfs3g-2021.8.22.ebuild => ntfs3g-2021.8.22-r1.ebuild} | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33ac79f9dd4f0e82321175ab4b24c88fd5770dd5 commit 33ac79f9dd4f0e82321175ab4b24c88fd5770dd5 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2021-11-06 02:10:27 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2021-11-06 02:14:01 +0000 sys-fs/ntfs3g: drop non-functional suid USE flag Bug: https://bugs.gentoo.org/822024 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-fs/ntfs3g/ntfs3g-2021.8.22.ebuild | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7a062fbcbda9206a63ce1533c03cf44298beefdb commit 7a062fbcbda9206a63ce1533c03cf44298beefdb Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2021-11-06 02:09:18 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2021-11-06 02:13:43 +0000 Revert "sys-fs/ntfs3g: use internal FUSE library" Reverts: ab0f17bb3637aec78e388c3704bee2a77c8b1eb1 Bug: https://bugs.gentoo.org/822024 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-fs/ntfs3g/{ntfs3g-2021.8.22-r1.ebuild => ntfs3g-2021.8.22.ebuild} | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
If we want to restore the suid flag, we should revbump to ~arch and switch to the "internal" libfuse. Pushing that kind of change straight to stable was not a smart move on my part.
(In reply to Mike Gilbert from comment #4) > If we want to restore the suid flag, we should revbump to ~arch and switch > to the "internal" libfuse. Pushing that kind of change straight to stable > was not a smart move on my part. I'm sorry, but I didn't get it. Why suid is "non-functional"? It's perfectly functional with "internal" - just tested this myself. Why don't you provide a way for users to build it both suid+internal and instead remove this possibility?
It's non-functional because we currently do not build with "internal" fuse.
(In reply to Mike Gilbert from comment #6) > It's non-functional because we currently do not build with "internal" fuse. Okay, may I ask what's wrong with "internal" fuse or how it differs from "external" from end user's point of view? Meanwhile, is there any hints or workarounds how to use mount while suid is broken? The use case is trivial: user plugs in USB flash drive with NTFS partition and udev tries to auto-mount it with "owner" mount option to provide access to mounted flash drive for a current user account.
(In reply to Alex Efros from comment #7) > (In reply to Mike Gilbert from comment #6) > > It's non-functional because we currently do not build with "internal" fuse. > > Okay, may I ask what's wrong with "internal" fuse or how it differs from > "external" from end user's point of view? It is untested -- we have been using "external" FUSE for many years. > Meanwhile, is there any hints or workarounds how to use mount while suid is > broken? The use case is trivial: user plugs in USB flash drive with NTFS > partition and udev tries to auto-mount it with "owner" mount option to > provide access to mounted flash drive for a current user account. Run mount as root.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94eb172027cdcb267c65ec0589c9dbb25c88c2c3 commit 94eb172027cdcb267c65ec0589c9dbb25c88c2c3 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2021-11-06 13:39:22 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2021-11-06 13:40:11 +0000 sys-fs/ntfs3g: switch to 'internal' FUSE and re-add 'suid' Closes: https://bugs.gentoo.org/822024 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-fs/ntfs3g/ntfs3g-2021.8.22-r1.ebuild | 82 ++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+)
(In reply to Mike Gilbert from comment #4) > If we want to restore the suid flag, we should revbump to ~arch and switch > to the "internal" libfuse. Pushing that kind of change straight to stable > was not a smart move on my part. This is now done. We can stabilize the revbump after a week or two has passed.
Upstream issue to keep an eye on: https://github.com/tuxera/ntfs-3g/issues/4
(In reply to Alex Efros from comment #7) > Meanwhile, is there any hints or workarounds how to use mount while suid is > broken? The use case is trivial: user plugs in USB flash drive with NTFS > partition and udev tries to auto-mount it with "owner" mount option to > provide access to mounted flash drive for a current user account. One possible workaround would be to upgrade to linux 5.15 and use ntfs3 driver, which eliminates FUSE, suids, assorted fuse-libs and all the issues that come with it. As a bonus, it's 10 times faster.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=50541bc7785a3b7205373b977f1f0863d4ee31f6 commit 50541bc7785a3b7205373b977f1f0863d4ee31f6 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2021-11-07 00:11:43 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2021-11-07 00:28:46 +0000 sys-fs/ntfs3g: actually make USE=suid do something Bug: https://bugs.gentoo.org/822024 Signed-off-by: Mike Gilbert <floppym@gentoo.org> .../{ntfs3g-2021.8.22-r1.ebuild => ntfs3g-2021.8.22-r2.ebuild} | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
*** Bug 834042 has been marked as a duplicate of this bug. ***
