security fix: configure FUSE with "default_permissions", fixes borgba…

…ckup#3903 "default_permissions" is now enforced by borg by default to let the kernel check uid/gid/mode based permissions. "ignore_permissions" can be given to not enforce "default_permissions". note: man mount.fuse explicitly tells about the security issue: default_permissions By default FUSE doesn't check file access permissions, ... This option enables permission checking, restricting access based on file mode. This option is usually useful together with the allow_other mount option. We consider this a pitfall waiting for someone to fall into and this is why we chose to change the default behaviour for borg.
ThomasWaldmann · Feb 10, 2019 · 0312c14 · 0312c14
1 parent 075600d
commit 0312c14
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/src/borg/fuse.py b/src/borg/fuse.py
@@ -308,9 +308,20 @@ def pop_option(options, key, present, not_present, wanted_type, int_base=0):
             else:
                 return not_present
 
-        options = ['fsname=borgfs', 'ro']
+        # default_permissions enables permission checking by the kernel. Without
+        # this, any umask (or uid/gid) would not have an effect and this could
+        # cause security issues if used with allow_other mount option.
+        # When not using allow_other or allow_root, access is limited to the
+        # mounting user anyway.
+        options = ['fsname=borgfs', 'ro', 'default_permissions']
         if mount_options:
             options.extend(mount_options.split(','))
+        ignore_permissions = pop_option(options, 'ignore_permissions', True, False, bool)
+        if ignore_permissions:
+            # in case users have a use-case that requires NOT giving "default_permissions",
+            # this is enabled by the custom "ignore_permissions" mount option which just
+            # removes "default_permissions" again:
+            pop_option(options, 'default_permissions', True, False, bool)
         self.allow_damaged_files = pop_option(options, 'allow_damaged_files', True, False, bool)
         self.versions = pop_option(options, 'versions', True, False, bool)
         self.uid_forced = pop_option(options, 'uid', None, None, int)