Bug#631504: confused about this bug report
Hi, I'm using Debian jessie/stable. I see that there was much discussion about using the internal FUSE library, which finally did happen before jessie, and I confirmed that the jessie version *is* using the internal version. But mounting as user is still not working for me. I get mount /mnt/passport/ Error opening '/dev/sde1': Permission denied Failed to mount '/dev/sde1': Permission denied Please check '/dev/sde1' and the ntfs-3g binary permissions, and the mounting user ID. More explanation is provided at http://tuxera.com/community/ntfs-3g-faq/#unprivileged I have the following in my /etc/fstab UUID="4E1AEA7B1AEA6007" /mnt/passport autorw,user,noauto 0 0 Can anyone help me out? Thanks. Regards, Faheem Mitha
Bug#631504: ntfs-3g: unusable for non-root users with or without setuid
What's the status of this bug in jessie/stretch? It has been fixed in wheezy at some point, but is it still relevant for newer releases? Andreas
Bug#631504:
Same bug here for me. Fresh wheezy stable lxde install from usb harddisk. Needed to remove /mnt/usb0 line from fstab to make usb mounting work.
Bug#631504: (no subject)
I have to agree with Klaus Knopper. This is ridiculous. Just because you think internalizing the library would be insecure, all the users are forced to write C wrappers or compile their own ntfs-3g, which bosth will in effect be WAY LESS SECURE, because of the very reasons you are trying to avoid: 1) People will inexperiencedly make it work. They are mostly worse than you at keeping things secure. You can tell yourself that it wasn't you, but it was you who made the people fix the problem you created by shipping a broken ntfs-3g. 2) Homebuild ntfs-3g versions aren't updated with the system, leaving the system to be vulnerable after fuse's bugs are patched in the repository. 3) Wrappers will tear holes because they cause security checks in ntfs-3g to be skipped, and they will possibly tear open all the holes you are also trying to keep shut. Here is my suid wrapper, just to eliminate any doubt that YOUR NON-SOLUTION of this bug WILL CREATE SECURITY RISKS for every user: #include stdlib.h #include string.h int main(int argc, char* argv[]){ char* prog = malloc(strlen(argv[0])+5); strcpy(prog, argv[0]); strcat(prog, .bin); int uid=geteuid(); setuid(uid); execvp(prog, argv); exit(127); } I'd bet you can find a security risk there besides the fact that it eliminates the ntfs-3g security checks and alters the defaults. PS: I don't have any USB drives in /etc/fstab. My version of Debian: deb cdrom:[Debian GNU/Linux 7.3.0 _Wheezy_ - Official amd64 NETINST Binary-1 20131215-04:55]/ wheezy main -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#631504:
Just wanted to add that this bug is still active in Debian 7.1. With a Verbatim 1TB HD I was able to mount and manipulate files. After removing the external drive and then plugging it back in it came up with the unprivileged user error. Commenting out the mentioned USB lines did solve the problem. Installation was through USB net install.
Bug#631504: Fwd: Re: unusable for non-root users with or without setuid
Hi, same behavior like Message #115. basti -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#631504: unusable for non-root users with or without setuid
Hi, I'm confirming, bug still exist in freshly installed from usb stick wheezy after it become stable. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#631504: unusable for non-root users with or without setuid
Package: ntfs-3g Version: 1:2013.1.13AR.1-2 Followup-For: Bug #631504 Dear Maintainer, There appears to be a regression of this bug in Jessie, when trying to automount an external NTFS drive in Gnome I received the first error Unprivileged user can not mount NTFS block devices using the external FUSE library. [...] with setuid unset, received the second error Mount is denied because setuid and setgid root ntfs-3g is insecure with the external FUSE library. with setuid set. -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages ntfs-3g depends on: ii debconf [debconf-2.0] 1.5.50 ii fuse 2.9.0-2+deb7u1 ii libc6 2.17-3 ii libfuse2 2.9.0-2+deb7u1 ii libgcrypt111.5.0-5 ii libgnutls262.12.20-6 ii multiarch-support 2.17-3 ntfs-3g recommends no packages. ntfs-3g suggests no packages. -- debconf information: * ntfs-3g/setuid-root: true * ntfs-3g/initramfs: true -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#631504: unusable for non-root users with or without setuid
Package: ntfs-3g Version: 1:2012.1.15AR.5-2.1 Followup-For: Bug #631504 Dear Maintainer, I added information to an installation report [1] which confirms this bug, at least in a freshly installed system. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646795#58 -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (700, 'testing'), (600, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.7-trunk-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages ntfs-3g depends on: ii debconf [debconf-2.0] 1.5.49 ii fuse 2.9.0-2+deb7u1 ii libc6 2.13-37 ii libfuse2 2.9.0-2+deb7u1 ii libgcrypt111.5.0-3 ii libgnutls262.12.20-2 ii multiarch-support 2.13-37 ntfs-3g recommends no packages. ntfs-3g suggests no packages. -- debconf information: ntfs-3g/setuid-root: false ntfs-3g/initramfs: true -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#631504: Unable to mount external USB devices -- Wheezy KDE
I can confirm that deleting the usb device entry from fstab will fix the issue (in my case anyway).
Bug#631504: Works with Internal Fuse
Just confirming that this does work if you supply -with-fuse=internal in the configuration options in the rules file. The patch supplied earlier does not work. I suspect that it's best to use the internal fuse because i do suspect it has key differences from the standard fuse as stated earlier. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#631504: ntfs-3g needs to be compiled with --with-fuse=internal and installed setuid root
Package: ntfs-3g Version: 1:2012.1.15AR.5-1 Severity: normal The error message caused by unprovileged ntfs-3g mount tells the solution from the upstream documentation, see http://tuxera.com/community/ntfs-3g-faq/#unprivileged Using external fuse in setuid root programs is considered insecure by upstream, so user mount is disabled when compiling with --with-fuse=external. Recompiling with --with-fuse=internal and installing setuid root as described on the tuxera website fixes the problem. -- System Information: Debian Release: 6.0.3 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 3.4.2 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages ntfs-3g depends on: ii debconf [debconf-2.0] 1.5.41 Debian configuration management sy ii fuse 2.8.6-4Filesystem in Userspace ii libc6 2.13-24Embedded GNU C Library: Shared lib ii libfuse2 2.8.6-4Filesystem in Userspace (library) ii libgcrypt11 1.5.0-3LGPL Crypto library - runtime libr ii libgnutls26 2.12.18-1 GNU TLS library - runtime library ii libuuid1 2.17.2-9 Universally Unique ID library ii multiarch-support 2.13-24Transitional package to ensure mul ntfs-3g recommends no packages. ntfs-3g suggests no packages. -- debconf information: ntfs-3g/setuid-root: false ntfs-3g/initramfs: true -- System Information: Debian Release: 6.0.3 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 3.4.2 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages ntfs-3g depends on: ii debconf [debconf-2.0] 1.5.41 Debian configuration management sy ii fuse 2.8.6-4Filesystem in Userspace ii libc6 2.13-24Embedded GNU C Library: Shared lib ii libfuse2 2.8.6-4Filesystem in Userspace (library) ii libgcrypt11 1.5.0-3LGPL Crypto library - runtime libr ii libgnutls26 2.12.18-1 GNU TLS library - runtime library ii libuuid1 2.17.2-9 Universally Unique ID library ii multiarch-support 2.13-24Transitional package to ensure mul ntfs-3g recommends no packages. ntfs-3g suggests no packages. -- debconf information: ntfs-3g/setuid-root: false ntfs-3g/initramfs: true -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#631504: ntfs-3g needs to be compiled with --with-fuse=internal and installed setuid root
reopen 631504 reopen 637805 thanks On 06/14/2012 10:48 PM, Daniel Baumann wrote: see the other bug reports about this where i've commented on the issue. sorry, i though you opened a new bug.. anyhow, you've seen the reasoning for not building ntfs-3g with internal fuse. -- Address:Daniel Baumann, Donnerbuehlweg 3, CH-3012 Bern Email: daniel.baum...@progress-technologies.net Internet: http://people.progress-technologies.net/~daniel.baumann/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#631504: ntfs-3g needs to be compiled with --with-fuse=internal and installed setuid root
Hello Daniel, On Thu, Jun 14, 2012 at 10:55:01PM +0200, Daniel Baumann wrote: reopen 631504 reopen 637805 thanks On 06/14/2012 10:48 PM, Daniel Baumann wrote: see the other bug reports about this where i've commented on the issue. sorry, i though you opened a new bug.. anyhow, you've seen the reasoning for not building ntfs-3g with internal fuse. Actually, I didn't see it, sorry. reportbug is somewhat unintitive, apparently I just read the primary error descriptions and answered them. Using the WWW variant now. You probably mean this: security reasons and no code-duplication. the remaining issues with using the systems fuse should be fixed in the code, the internal one is not an acceptable workaround. I strongly disagree with you in the point of view that using ntfs-3gs internal fuse implementation would be a security problem or just a workaround. I understand that the author of ntfs-3g considers it a security issue if a setuid program relies on a potentially insecure external library. I can see his point, that using the internal fuse of ntfs-3g would actually increase security by reducing an entry point for attacks and makes ntfs-3g more atomic. About code duplication: Have you actually checked if the internal fuse code is identical to the external one? I don't think it is. Even if it wastes a few bytes, I would rather trust the ntfs-3g authors fuse implementation because he designed ntfs-3g secure enough to allow it running as root with careful permission checks. If the external fuse libs get upgraded, this does not mean it is wise to also upgrade ntfs-3gs internal fuse implementation as well. At this point, I would now have to use a fork of ntfs-3g again, since normal users should be able to mount NTFS volumes without having to explicitly gain root access. With the current official package, this is not possible, and there is no working desktop integration of the ntfs-3g suite because of the privilege issues. Regards -Klaus -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#631504:
I had the same problem with the strange lines in fstab and I know why: because I installed using an usb-stick and the installer added its partitions to fstab. So I think it's an installer bug... -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#631504:
And btw the installer did not add my default user to group fuse, but I solved that problem before. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#631504: (no subject)
Hi, I had recently the same problem with my new wheezy install (upgraded from squeeze). There were those external FUSE library complaints (mentioned above) while mounting NTFS USB flashdrive. I've tried to build my own version of ntfs-3g package with --with-fuse=internal flag enabled in the rules file. But it didn't work for me either. There were some permission denied errors while opening the /dev/sdb1 device during mount. But device permissions seemed OK to me. Later I've noticed that in /etc/fstab file was a /dev/sdb1 /media/usb0 auto rw,user,noauto 0 0 line. I've tried to remove this strange line (I don't know how it got there) and it helped. Now mounting of NTFS drives works just fine (even with distribution version of ntfs-3g package). May be that this will work for you too. Bye, Michal Wirth -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#631504: Push the solution forward
Why hasn't this been pushed forward to Squeeze? It's really annoying! -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#631504: Push the solution forward
On 01/19/2012 10:13 AM, Brian Hansen wrote: Why hasn't this been pushed forward to Squeeze? because it would first need to be fixed in sid, for starters, and as pointed out, the proposed 'solution' is not an acceptable solution. It's really annoying! patches welcome. -- Address:Daniel Baumann, Donnerbuehlweg 3, CH-3012 Bern Email: daniel.baum...@progress-technologies.net Internet: http://people.progress-technologies.net/~daniel.baumann/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#631504: ntfs-3g: unusable for non-root users with or without setuid
Tags: patch Removing --with-fuse=external or replacing it with --with-fuse=internal in the configuration part of the rules files solves the problem. Is there a reason to use the external fuse library instead of the ntfs-3g internal one ? -- Christophe Monniez christophe.monn...@fccu.be --- rules.orig 1970-01-01 01:00:00.0 +0100 +++ rules 2011-08-05 08:41:57.0 +0200 @@ -0,0 +1,97 @@ +#!/usr/bin/make -f + +SHELL := sh -e + +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) + +CFLAGS = -Wall -g + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O0 +else + CFLAGS += -O2 +endif +ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) +NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) +MAKEFLAGS += -j$(NUMJOBS) +endif + +upstream: + lynx -dump http://b.andre.pagesperso-orange.fr/changelog.html debian/local/changelog + +%: + dh ${@} --with autotools_dev + +override_dh_auto_configure: + dh_auto_configure -- --host=$(DEB_HOST_GNU_TYPE) \ +--build=$(DEB_BUILD_GNU_TYPE) \ +--prefix=/usr \ +--exec-prefix=/ \ +--mandir=\$${prefix}/share/man \ +--enable-crypto \ +--enable-extras \ +--enable-posix-acls \ +--enable-xattr-mappings \ +--disable-ldconfig \ +--with-fuse=internal \ +CFLAGS=$(CFLAGS) \ +LDFLAGS=-Wl,-z,defs + +override_dh_auto_install: + dh_auto_install + + # adding initramfs-tools integration + install -D -m 0755 debian/local/ntfs-3g.hook debian/ntfs-3g/usr/share/initramfs-tools/hooks/ntfs_3g + install -D -m 0755 debian/local/ntfs-3g.local-premount debian/ntfs-3g/usr/share/initramfs-tools/scripts/local-premount/ntfs_3g + install -D -m 0755 debian/local/ntfs-3g.local-bottom debian/ntfs-3g/usr/share/initramfs-tools/scripts/local-bottom/ntfs_3g + + # removing unused files + rm -f debian/tmp/lib/*.la + + # removing rpath + for _PROGRAM in \ + bin/lowntfs-3g \ + bin/ntfs-3g \ + bin/ntfs-3g.probe \ + bin/ntfs-3g.secaudit \ + bin/ntfs-3g.usermap \ + bin/ntfscat \ + bin/ntfscluster \ + bin/ntfscmp \ + bin/ntfsck \ + bin/ntfsdecrypt \ + bin/ntfsdump_logfile \ + bin/ntfsfix \ + bin/ntfsinfo \ + bin/ntfsls \ + bin/ntfsmftalloc \ + bin/ntfsmove \ + bin/ntfstruncate \ + bin/ntfswipe \ + sbin/mkntfs \ + sbin/ntfsclone \ + sbin/ntfscp \ + sbin/ntfslabel \ + sbin/ntfsresize \ + sbin/ntfsundelete; \ + do \ + chrpath --delete debian/tmp/$${_PROGRAM}; \ + done + +override_dh_installchangelogs: + dh_installchangelogs debian/local/changelog + +override_dh_install: + dh_install --fail-missing + +override_dh_link: + rm -rf debian/ntfs-3g-dev/usr/share/doc + + # correcting symlink target + dh_link -pntfs-3g-dev lib/$$(basename $$(readlink debian/tmp/usr/lib/libntfs-3g.so)) usr/lib/libntfs-3g.so + + dh_link --remaining-packages + +override_dh_strip: + dh_strip --dbg-package=ntfs-3g-dbg
Bug#631504: ntfs-3g: unusable for non-root users with or without setuid
tag 631504 - patch thanks On 08/05/2011 09:21 AM, Christophe Monniez wrote: Is there a reason to use the external fuse library instead of the ntfs-3g internal one ? security reasons and no code-duplication. the remaining issues with using the systems fuse should be fixed in the code, the internal one is not an acceptable workaround. -- Address:Daniel Baumann, Donnerbuehlweg 3, CH-3012 Bern Email: daniel.baum...@progress-technologies.net Internet: http://people.progress-technologies.net/~daniel.baumann/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#631504: ntfs-3g: unusable for non-root users with or without setuid
Package: ntfs-3g Version: 1:2011.1.15AR.4+2011.4.12-2 Severity: normal Mounting NTFS volumes through gvfs currently fails with an error from ntfs-3g Error mounting: mount exited with exit code 1: helper failed with: Unprivileged user can not mount NTFS block devices using the external FUSE library. Either mount the volume as root, or rebuild NTFS-3G with integrated FUSE support and make it setuid root. Please see more information at http://ntfs-3g.org/support.html#unprivileged after reconfiguring it to use setuit root, the error message changes to: Error mounting: mount exited with exit code 1: helper failed with: Mount is denied because setuid and setgid root ntfs-3g is insecure with the external FUSE library. Either remove the setuid/setgid bit from the binary or rebuild NTFS-3G with integrated FUSE support and make it setuid root. Please see more information at http://ntfs-3g.org/support.html#unprivileged So it is currently unusable either way -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.39-2-686-pae (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages ntfs-3g depends on: ii debconf [deb 1.5.39 Debian configuration management sy ii fuse-utils 2.8.5-3 Filesystem in Userspace (transitio ii libc62.13-7 Embedded GNU C Library: Shared lib ii libfuse2 2.8.5-3 Filesystem in Userspace (library) ii libntfs-3g80 1:2011.1.15AR.4+2011.4.12-2 read-write NTFS driver for FUSE (l ntfs-3g recommends no packages. ntfs-3g suggests no packages. -- debconf information: * ntfs-3g/setuid-root: false -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org