Welcome,
This release has brought important function enhancements, security and other fixes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Up until now it was possible that file or directory removal, rename and move may have been denied in very rare scenarios. This is the past, as all index operations are supported from now. This is a historical step since it enables us to do much more sophisticated things reliably. Not only unlimited directory operations but also security id, security hashes, quota, object id indexing and we could even use essentially the same indexing code for all sort of in-memory caching to speed up things when and where it's needed. One of our successful tests was the creation and removal of 17 million files in a single directory. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Support has been also added for a new, 'remove_hiberfile' mount option which was often asked as a need to read/write mount hibernated volumes for recovery and troubleshooting purposes. Previously this was unconditionally denied. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - We had an issue in our new build system where the mount.ntfs-3g symlink wasn't created in /sbin where mount(8) always needs it. This made mount(8) to fail. Thankfully the problem affected only a few installations where ntfs-3g is not installed on the root file system. This is needed, similarly as for in-kernel file systems, to avoid automount and shutdown failures which could lead even to data loss. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Many reasons were listed last time why we needed integrated FUSE support. In fact, there are even more. Another important one is security. While FUSE makes file system development significantly easier, its internals, integrations with the rest of the system, and security audit is far from trivial. Here is one of the simpler mount cases from the many combinations which describes the components involved. mount(8) -> mount.ntfs-3g -> ntfs-3g -> fuse library -> fusermount -> -> mount(8) -> mount(2) -> mount(8) -> fusermount -> fuse library -> -> ntfs-3g -> mount(8) Some factors on which safe, successful mount and unmount depends: - mount invocation: mount(8), uhelper, ntfs-3g, mount.fuse, fusermount, etc - mount initiator: root, user, normal fstab, fstab with user[s] options - volume type: block device, image file - fuse kernel module type support: fuse, fuse+fuseblk - fuse kernel module origin: kernel, FUSE package - fuse fs type: fuse, fuseblk - fuse fs permission: normal, setuid - kernel supports unprivileged mount or not - unmount type: umount(8), fusermount, signal from console user or otherwise - FUSE API version - FUSE library version - FUSE kernel API version - kernel version - libc: glibc, uClibc, klibc, etc - there are really more ... It's also a great source of confusion and contributes to the increased complexity significantly that FUSE innovated in two major areas: 1. file systems can be implemented in user space 2. file systems can be run unprivileged It's the first one which made the breakthrough in open source NTFS development. The second one is a bonus what no in-kernel file system can provide. Unfortunately at the same time, the latter is causing all kind of problems because unprivileged mount related issues can be fairly subtle, especially since they would require a consistent design and smooth interactions from several projects. Whihch has never existed (but thankfully it's being worked on by Miklos Szeredi). The first negative result was a security advisory in last September https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00368.html http://secunia.com/advisories/26938 We believe that the advisory - incorrectly claims that users could directly gain writes access to any devices. - confirms that setuid-root ntfs-3g worked as it was designed because its meaning was indeed that any users who have the rights to execute ntfs-3g can mount any NTFS volumes (otherwise the 'user' and 'user' fstab options wouldn't work, for instance). Later we were agreed but meanwhile Ludwig Nussel from SUSE has found a real local root exploit if ntfs-3g is setuid-root. The exploit is trivial and fundamentally it's the result of the complicated mount process. We were asked not to disclose this problem immediately in October, 2007. We agreed in the hope of a fast resolution and made some suggestions how it could be solved. The issue turned out to be a devil's circle where everybody could point to somebody else. Thankfully by the usage of the integrated fuse-lite library we could break the circle and the embarrassing silence and from now on we can take full responsibility (and blame) about security problems. So this release has fixed the local root exploit when ntfs-3g is setuid-root and all other security problems we have found in fuse-lite and ntfs-3g. The conditions for unprivileged mount became much more strict to avoid more confusions in the future: - ntfs-3g denies execution when it's setuid/setgid using external FUSE - block devices can be mounted by an unprivileged users only when - ntfs-3g is setuid-root (and the user has execution right) - using the integrated and secured fuse-lite library (default) - the user has access right to the volume - the user has access right to the mont point These are the minimum requirements. There are more. The above also means that the fstab 'user' and 'users' options won't work in many cases again. It's discussed here: http://ntfs-3g.org/support.html#useroption2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Jean-Pierre Andre has announced the release of ntfs-3g with ownership and access rights support. Main features - full support of Posix access control - interoperability with Windows access control - compatibility with standard ntfs-3g operation - and even a significant performance improvement over standard ntfs-3g Detailed information is available on http://pagesperso-orange.fr/b.andre/security.html - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Thanks to our Gentoo users and Miklos Szeredi, it was found out recently that the FUSE kernel module used from the FUSE software packages (Gentoo default) with the 2.6.24 Linux kernels can lockup the system. Solution: use the FUSE kernel module included in the 2.6.24 Linux kernel (drawback: NTFS can't be NFS exported). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The stable NTFS-3G driver release can be downloaded from http://ntfs-3g.org/ The changelog is at http://ntfs-3g.org/releases.html People who made the world a better place: Jean-Pierre Andre, Erik Larsson, Alon Bar-Lev, Miklos Szeredi, Dominique L Bouix, Amit Singh, Csaba Henk, Alejandro Pulver, Ludwig Nussel, Bernhard Kaindl, Lubomir Kundrak, Brian Marcel, Peritus, Regis Duchesne, Agostino Russo, jd1008, Klaus Knopper, Andreas Hermann Braml, Martin Reed, Ne01eX, Antony Georg Arendt, Joseph Davida, ... Enjoy, Szaka ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ ntfs-3g-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ntfs-3g-devel
