SlideShare una empresa de Scribd logo

FUSE (Filesystem in Userspace) on OpenSolaris

elliando dias
elliando dias
TecnologíaNoticias y política
1 de 14
Descargar para leer sin conexión
FUSE (Filesystem in Userspace) on OpenSolaris (2009/119) PSARC Inception Review March 25, 2009 William Krier 1
FUSE on OpenSolaris (2009/119) ● What is FUSE ● How FUSE Works ● High Level Design Diagram ● FUSE File System API ● FUSE Protocol Specification ● Security Concerns ● FUSE Mounts ● Privilege Escalation ● Block Device Access ● File System Access Control 2
What Is FUSE • FUSE is a framework which makes it possible to implement a filesystem in a userspace program. • Features include: > simple yet comprehensive API > secure mounting by non-root users > multi-threaded operation • Originally developed for Linux and currently runs on 2.4 and 2.6 Linux kernels • Maintained at fuse.sourceforge.net • Ported to FreeBSD (fuse4bsd) and Mac OS X • FUSE library remains the same across platforms 3
How FUSE Works • FUSE framework consists of 2 components > FUSE user space library (libfuse.so) – provides framework and exports FUSE API > FUSE kernel module – virtual file system (fusefs) – character device (/dev/fuse) • FUSE kernel module redirects vfs calls to the FUSE library via the FUSE character device • Example FUSE file systems > ntfs-3g > sshfs > davfs 4
High Level Design Diagram FUSE Filesystem ls -l /mnt/fuse libfuse libc libc userspace kernel fusefs fusedev fuse module VFS zfs nfsv2 5
How FUSE Works (cont.) • FUSE kernel module registers with VFS. • FUSE user space file system will link with FUSE library and provides: > Register file operation methods w/ library – struct fuse_operations – getattr, mknod, create, read, write, readdir, readlink, getdir, mknod, chmod, etc. > Mount point and options • FUSE library calls the mount() system call > filesystem type is “fuse” > filehandle of /dev/fuse passed as option • Filesystem calls are passed to FUSE library which invokes associated fuse operation in FUSE filesystem. 6
FUSE File System API • FUSE file systems use the FUSE API specification to implement necessary file system operations > Current version of FUSE API is 2.7 > Interface is classified as Volatile > The API is documented in FUSE_API_Specification.pdf 7
FUSE Protocol Specification • Kernel module communicates with FUSE library via the fuse character device > During mount, the library opens /dev/fuse and passes file descriptor to kernel. > The minor device number is associated with mount point via vfsp->vfs_dev • Messages are passed via the FUSE device's read/write methods. • FUSE messages are defined by the FUSE Protocol specification (version 7.8) > Protocol is classified as Project Private > Protocol is documented in FUSE_Protocol_Specification.pdf 8
FUSE Security Concerns • Authorization for non-privileged users to perform file system mounts • Privilege level escalation for non-privileged mounts • Access to block devices for non-privileged mounts • File system-specific access control 9
FUSE Mounts • FUSE supports non-privileged mounts • Accomplished by adding profile to /etc/security/prof_attr > FUSE File System Management:::Mount and unmount FUSE filesystems:FUSE.html • Consist of a single execution authorization in /etc/security/exec_attr > granting sys_mount privilege to FUSE mount/unmount programs > FUSE File System Management:solaris:cmd:::/usr/bin/fusermount.bin:privs=sys_mount • Profile must be manually added to users by administrator after installation. 10
Privilege Escalation DoS Possibilities with Non-privileged Mounts • FUSE file systems are only accessible to the user who mounted file system. > Prevents FUSE file system daemon from having ptrace-like capabilities and > Prevents denial of service for the requesting process (stalling system calls) • Mount option to allow access to other non-root users • Mount option to allow access to root 11
Block Device Access • For FUSE file systems that are backed by block device (ie ntfs-3g) • Non-root users must have read/write access to block device for non-privilege mount • Create “fuse” group and add write-allow ACE for specific block device. • Must be done manually by administrator. 12
File System Access Control • By default, FUSE leaves all access control to the file system. • Mount option to enable FUSE to enforce access control. > only allows UNIX-style permission checking, bypassing more sophisticated access controls that may be present in the file system. > does not have direct access to file permissions. (only see what file system presents) • Disposition of file ownership varies by file system. > ntfs-3g presents owner as user who mounted fs. > sshfs presents owner as reported by remote host. 13
FUSE on OpenSolaris (2009/119) William Krier William.Krier@sun.com 14

Recomendados

FUSE Developing Fillesystems in userspace
FUSE Developing Fillesystems in userspaceFUSE Developing Fillesystems in userspace
FUSE Developing Fillesystems in userspaceelliando dias
 
Fuse- Filesystem in User space
Fuse- Filesystem in User space Fuse- Filesystem in User space
Fuse- Filesystem in User space Danny Tseng
 
Python Fuse
Python FusePython Fuse
Python FuseMatteo Bertozzi
 
PythonFuse (PyCon4)
PythonFuse (PyCon4)PythonFuse (PyCon4)
PythonFuse (PyCon4)Matteo Bertozzi
 
Writing flexible filesystems in FUSE-Python
Writing flexible filesystems in FUSE-PythonWriting flexible filesystems in FUSE-Python
Writing flexible filesystems in FUSE-PythonAnurag Patel
 
FUSE and beyond: bridging filesystems slides by Emmanuel Dreyfus
FUSE and beyond: bridging filesystems slides by Emmanuel DreyfusFUSE and beyond: bridging filesystems slides by Emmanuel Dreyfus
FUSE and beyond: bridging filesystems slides by Emmanuel Dreyfuseurobsdcon
 
Python & FUSE
Python & FUSEPython & FUSE
Python & FUSEJoseph Scott
 
11 linux filesystem copy
11 linux filesystem copy11 linux filesystem copy
11 linux filesystem copyShay Cohen
 

Recomendados

FUSE Developing Fillesystems in userspace
FUSE Developing Fillesystems in userspaceFUSE Developing Fillesystems in userspace
FUSE Developing Fillesystems in userspaceelliando dias
 
Fuse- Filesystem in User space
Fuse- Filesystem in User space Fuse- Filesystem in User space
Fuse- Filesystem in User space Danny Tseng
 
Python Fuse
Python FusePython Fuse
Python FuseMatteo Bertozzi
 
PythonFuse (PyCon4)
PythonFuse (PyCon4)PythonFuse (PyCon4)
PythonFuse (PyCon4)Matteo Bertozzi
 
Writing flexible filesystems in FUSE-Python
Writing flexible filesystems in FUSE-PythonWriting flexible filesystems in FUSE-Python
Writing flexible filesystems in FUSE-PythonAnurag Patel
 
FUSE and beyond: bridging filesystems slides by Emmanuel Dreyfus
FUSE and beyond: bridging filesystems slides by Emmanuel DreyfusFUSE and beyond: bridging filesystems slides by Emmanuel Dreyfus
FUSE and beyond: bridging filesystems slides by Emmanuel Dreyfuseurobsdcon
 
Python & FUSE
Python & FUSEPython & FUSE
Python & FUSEJoseph Scott
 
11 linux filesystem copy
11 linux filesystem copy11 linux filesystem copy
11 linux filesystem copyShay Cohen
 
Lecture 5 Kernel Development
Lecture 5 Kernel DevelopmentLecture 5 Kernel Development
Lecture 5 Kernel DevelopmentMohammed Farrag
 
File Systems
File SystemsFile Systems
File SystemsAnil Kumar Pugalia
 
[ArabBSD] Unix Basics
[ArabBSD] Unix Basics[ArabBSD] Unix Basics
[ArabBSD] Unix BasicsMohammed Farrag
 
Ch12
Ch12Ch12
Ch12Raja Waseem Akhtar
 
unix training | unix training videos | unix course unix online training
unix training | unix training videos | unix course unix online training unix training | unix training videos | unix course unix online training
unix training | unix training videos | unix course unix online training Nancy Thomas
 
101 4.3 control mounting and unmounting of filesystems
101 4.3 control mounting and unmounting of filesystems101 4.3 control mounting and unmounting of filesystems
101 4.3 control mounting and unmounting of filesystemsAcácio Oliveira
 
Unixfs
UnixfsUnixfs
UnixfsLinh Nguyễn Thanh
 
Linux
LinuxLinux
Linuxkeydak11
 
101 1.1 hardware settings
101 1.1 hardware settings101 1.1 hardware settings
101 1.1 hardware settingsAcácio Oliveira
 
101 2.2 install boot manager
101 2.2 install boot manager101 2.2 install boot manager
101 2.2 install boot managerAcácio Oliveira
 
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security FrameworkLecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security FrameworkMohammed Farrag
 
Lect12
Lect12Lect12
Lect12Vin Voro
 
How to design a file system
How to design a file systemHow to design a file system
How to design a file systemNikhil Anurag VN
 
101 1.2 boot the system
101 1.2 boot the system101 1.2 boot the system
101 1.2 boot the systemAcácio Oliveira
 
pptdisk
pptdiskpptdisk
pptdiskMukhtiar ali burfat
 
Lecture1 Introduction
Lecture1 IntroductionLecture1 Introduction
Lecture1 IntroductionMohammed Farrag
 
Operating Systems 1
Operating Systems 1Operating Systems 1
Operating Systems 1hutchison
 
IgniteATL - Hackintoshing
IgniteATL - HackintoshingIgniteATL - Hackintoshing
IgniteATL - HackintoshingMatt Smith
 
Centos
CentosCentos
Centossandyy12
 
Programming Embedded linux
Programming Embedded linuxProgramming Embedded linux
Programming Embedded linuxLiran Ben Haim
 
FUSE and beyond: bridging filesystems paper by Emmanuel Dreyfus
FUSE and beyond: bridging filesystems paper by Emmanuel DreyfusFUSE and beyond: bridging filesystems paper by Emmanuel Dreyfus
FUSE and beyond: bridging filesystems paper by Emmanuel Dreyfuseurobsdcon
 
Network File System
Network File SystemNetwork File System
Network File SystemDivyang Oza
 

Más contenido relacionado

La actualidad más candente

Lecture 5 Kernel Development
Lecture 5 Kernel DevelopmentLecture 5 Kernel Development
Lecture 5 Kernel DevelopmentMohammed Farrag
 
unix training | unix training videos | unix course unix online training
unix training | unix training videos | unix course unix online training unix training | unix training videos | unix course unix online training
unix training | unix training videos | unix course unix online training Nancy Thomas
 
101 4.3 control mounting and unmounting of filesystems
101 4.3 control mounting and unmounting of filesystems101 4.3 control mounting and unmounting of filesystems
101 4.3 control mounting and unmounting of filesystemsAcácio Oliveira
 
101 2.2 install boot manager
101 2.2 install boot manager101 2.2 install boot manager
101 2.2 install boot managerAcácio Oliveira
 
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security FrameworkLecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security FrameworkMohammed Farrag
 
How to design a file system
How to design a file systemHow to design a file system
How to design a file systemNikhil Anurag VN
 
Operating Systems 1
Operating Systems 1Operating Systems 1
Operating Systems 1hutchison
 
IgniteATL - Hackintoshing
IgniteATL - HackintoshingIgniteATL - Hackintoshing
IgniteATL - HackintoshingMatt Smith
 
Programming Embedded linux
Programming Embedded linuxProgramming Embedded linux
Programming Embedded linuxLiran Ben Haim
 

La actualidad más candente (20)

Lecture 5 Kernel Development
Lecture 5 Kernel DevelopmentLecture 5 Kernel Development
Lecture 5 Kernel Development
 
File Systems
File SystemsFile Systems
File Systems
 
[ArabBSD] Unix Basics
[ArabBSD] Unix Basics[ArabBSD] Unix Basics
[ArabBSD] Unix Basics
 
Ch12
Ch12Ch12
Ch12
 
unix training | unix training videos | unix course unix online training
unix training | unix training videos | unix course unix online training unix training | unix training videos | unix course unix online training
unix training | unix training videos | unix course unix online training
 
101 4.3 control mounting and unmounting of filesystems
101 4.3 control mounting and unmounting of filesystems101 4.3 control mounting and unmounting of filesystems
101 4.3 control mounting and unmounting of filesystems
 
Unixfs
UnixfsUnixfs
Unixfs
 
Linux
LinuxLinux
Linux
 
101 1.1 hardware settings
101 1.1 hardware settings101 1.1 hardware settings
101 1.1 hardware settings
 
101 2.2 install boot manager
101 2.2 install boot manager101 2.2 install boot manager
101 2.2 install boot manager
 
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security FrameworkLecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
 
Lect12
Lect12Lect12
Lect12
 
How to design a file system
How to design a file systemHow to design a file system
How to design a file system
 
101 1.2 boot the system
101 1.2 boot the system101 1.2 boot the system
101 1.2 boot the system
 
pptdisk
pptdiskpptdisk
pptdisk
 
Lecture1 Introduction
Lecture1 IntroductionLecture1 Introduction
Lecture1 Introduction
 
Operating Systems 1
Operating Systems 1Operating Systems 1
Operating Systems 1
 
IgniteATL - Hackintoshing
IgniteATL - HackintoshingIgniteATL - Hackintoshing
IgniteATL - Hackintoshing
 
Centos
CentosCentos
Centos
 
Programming Embedded linux
Programming Embedded linuxProgramming Embedded linux
Programming Embedded linux
 

Similar a FUSE (Filesystem in Userspace) on OpenSolaris

FUSE and beyond: bridging filesystems paper by Emmanuel Dreyfus
FUSE and beyond: bridging filesystems paper by Emmanuel DreyfusFUSE and beyond: bridging filesystems paper by Emmanuel Dreyfus
FUSE and beyond: bridging filesystems paper by Emmanuel Dreyfuseurobsdcon
 
Network File System
Network File SystemNetwork File System
Network File SystemDivyang Oza
 
Fuse'ing python for rapid development of storage efficient
Fuse'ing python for rapid development of storage efficientFuse'ing python for rapid development of storage efficient
Fuse'ing python for rapid development of storage efficientVishal Kanaujia
 
Poking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And ProfitPoking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And Profitssusera432ea1
 
Course 102: Lecture 27: FileSystems in Linux (Part 2)
Course 102: Lecture 27: FileSystems in Linux (Part 2)Course 102: Lecture 27: FileSystems in Linux (Part 2)
Course 102: Lecture 27: FileSystems in Linux (Part 2)Ahmed El-Arabawy
 
Presentation on nfs,afs,vfs
Presentation on nfs,afs,vfsPresentation on nfs,afs,vfs
Presentation on nfs,afs,vfsPrakriti Dubey
 
Unix Operating System
Unix Operating SystemUnix Operating System
Unix Operating Systemsubhsikha
 
Andrew File System
Andrew File SystemAndrew File System
Andrew File SystemAshish KC
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...The Linux Foundation
 
Linux fs structure (1)
Linux fs structure (1)Linux fs structure (1)
Linux fs structure (1)E. Rahul Naidu
 
guadec_rlove_fuse_2006
guadec_rlove_fuse_2006guadec_rlove_fuse_2006
guadec_rlove_fuse_2006webuploader
 
KVEFS: Encrypted File System based on Distributed Key-Value Stores and FUSE
KVEFS: Encrypted File System based on Distributed Key-Value Stores and FUSEKVEFS: Encrypted File System based on Distributed Key-Value Stores and FUSE
KVEFS: Encrypted File System based on Distributed Key-Value Stores and FUSEIJNSA Journal
 
KVEFS: Encrypted File System based on Distributed Key-Value Stores and FUSE
KVEFS: Encrypted File System based on Distributed Key-Value Stores and FUSEKVEFS: Encrypted File System based on Distributed Key-Value Stores and FUSE
KVEFS: Encrypted File System based on Distributed Key-Value Stores and FUSEIJNSA Journal
 
7 unixsecurity
7 unixsecurity7 unixsecurity
7 unixsecurityricharddxd
 
AIXpert - AIX Security expert
AIXpert - AIX Security expertAIXpert - AIX Security expert
AIXpert - AIX Security expertdlfrench
 
Linux26 New Features
Linux26 New FeaturesLinux26 New Features
Linux26 New Featuresguest491c69
 

Similar a FUSE (Filesystem in Userspace) on OpenSolaris (20)

FUSE and beyond: bridging filesystems paper by Emmanuel Dreyfus
FUSE and beyond: bridging filesystems paper by Emmanuel DreyfusFUSE and beyond: bridging filesystems paper by Emmanuel Dreyfus
FUSE and beyond: bridging filesystems paper by Emmanuel Dreyfus
 
Network File System
Network File SystemNetwork File System
Network File System
 
Fuse'ing python for rapid development of storage efficient
Fuse'ing python for rapid development of storage efficientFuse'ing python for rapid development of storage efficient
Fuse'ing python for rapid development of storage efficient
 
Poking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And ProfitPoking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And Profit
 
Course 102: Lecture 27: FileSystems in Linux (Part 2)
Course 102: Lecture 27: FileSystems in Linux (Part 2)Course 102: Lecture 27: FileSystems in Linux (Part 2)
Course 102: Lecture 27: FileSystems in Linux (Part 2)
 
Presentation on nfs,afs,vfs
Presentation on nfs,afs,vfsPresentation on nfs,afs,vfs
Presentation on nfs,afs,vfs
 
Unix Operating System
Unix Operating SystemUnix Operating System
Unix Operating System
 
Linux remote
Linux remoteLinux remote
Linux remote
 
Andrew File System
Andrew File SystemAndrew File System
Andrew File System
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
 
Linux fs structure (1)
Linux fs structure (1)Linux fs structure (1)
Linux fs structure (1)
 
guadec_rlove_fuse_2006
guadec_rlove_fuse_2006guadec_rlove_fuse_2006
guadec_rlove_fuse_2006
 
Nfs
NfsNfs
Nfs
 
KVEFS: Encrypted File System based on Distributed Key-Value Stores and FUSE
KVEFS: Encrypted File System based on Distributed Key-Value Stores and FUSEKVEFS: Encrypted File System based on Distributed Key-Value Stores and FUSE
KVEFS: Encrypted File System based on Distributed Key-Value Stores and FUSE
 
KVEFS: Encrypted File System based on Distributed Key-Value Stores and FUSE
KVEFS: Encrypted File System based on Distributed Key-Value Stores and FUSEKVEFS: Encrypted File System based on Distributed Key-Value Stores and FUSE
KVEFS: Encrypted File System based on Distributed Key-Value Stores and FUSE
 
7 unixsecurity
7 unixsecurity7 unixsecurity
7 unixsecurity
 
Fsoss12
Fsoss12Fsoss12
Fsoss12
 
AIXpert - AIX Security expert
AIXpert - AIX Security expertAIXpert - AIX Security expert
AIXpert - AIX Security expert
 
Linux26 New Features
Linux26 New FeaturesLinux26 New Features
Linux26 New Features
 
5.distributed file systems
5.distributed file systems5.distributed file systems
5.distributed file systems
 

Más de elliando dias

Clojurescript slides
Clojurescript slidesClojurescript slides
Clojurescript slideselliando dias
 
Why you should be excited about ClojureScript
Why you should be excited about ClojureScriptWhy you should be excited about ClojureScript
Why you should be excited about ClojureScriptelliando dias
 
Functional Programming with Immutable Data Structures
Functional Programming with Immutable Data StructuresFunctional Programming with Immutable Data Structures
Functional Programming with Immutable Data Structureselliando dias
 
Nomenclatura e peças de container
Nomenclatura e peças de containerNomenclatura e peças de container
Nomenclatura e peças de containerelliando dias
 
Polyglot and Poly-paradigm Programming for Better Agility
Polyglot and Poly-paradigm Programming for Better AgilityPolyglot and Poly-paradigm Programming for Better Agility
Polyglot and Poly-paradigm Programming for Better Agilityelliando dias
 
Javascript Libraries
Javascript LibrariesJavascript Libraries
Javascript Librarieselliando dias
 
How to Make an Eight Bit Computer and Save the World!
How to Make an Eight Bit Computer and Save the World!How to Make an Eight Bit Computer and Save the World!
How to Make an Eight Bit Computer and Save the World!elliando dias
 
A Practical Guide to Connecting Hardware to the Web
A Practical Guide to Connecting Hardware to the WebA Practical Guide to Connecting Hardware to the Web
A Practical Guide to Connecting Hardware to the Webelliando dias
 
Introdução ao Arduino
Introdução ao ArduinoIntrodução ao Arduino
Introdução ao Arduinoelliando dias
 
Incanter Data Sorcery
Incanter Data SorceryIncanter Data Sorcery
Incanter Data Sorceryelliando dias
 
Fab.in.a.box - Fab Academy: Machine Design
Fab.in.a.box - Fab Academy: Machine DesignFab.in.a.box - Fab Academy: Machine Design
Fab.in.a.box - Fab Academy: Machine Designelliando dias
 
The Digital Revolution: Machines that makes
The Digital Revolution: Machines that makesThe Digital Revolution: Machines that makes
The Digital Revolution: Machines that makeselliando dias
 
Hadoop - Simple. Scalable.
Hadoop - Simple. Scalable.Hadoop - Simple. Scalable.
Hadoop - Simple. Scalable.elliando dias
 
Hadoop and Hive Development at Facebook
Hadoop and Hive Development at FacebookHadoop and Hive Development at Facebook
Hadoop and Hive Development at Facebookelliando dias
 
Multi-core Parallelization in Clojure - a Case Study
Multi-core Parallelization in Clojure - a Case StudyMulti-core Parallelization in Clojure - a Case Study
Multi-core Parallelization in Clojure - a Case Studyelliando dias
 

Más de elliando dias (20)

Clojurescript slides
Clojurescript slidesClojurescript slides
Clojurescript slides
 
Why you should be excited about ClojureScript
Why you should be excited about ClojureScriptWhy you should be excited about ClojureScript
Why you should be excited about ClojureScript
 
Functional Programming with Immutable Data Structures
Functional Programming with Immutable Data StructuresFunctional Programming with Immutable Data Structures
Functional Programming with Immutable Data Structures
 
Nomenclatura e peças de container
Nomenclatura e peças de containerNomenclatura e peças de container
Nomenclatura e peças de container
 
Geometria Projetiva
Geometria ProjetivaGeometria Projetiva
Geometria Projetiva
 
Polyglot and Poly-paradigm Programming for Better Agility
Polyglot and Poly-paradigm Programming for Better AgilityPolyglot and Poly-paradigm Programming for Better Agility
Polyglot and Poly-paradigm Programming for Better Agility
 
Javascript Libraries
Javascript LibrariesJavascript Libraries
Javascript Libraries
 
How to Make an Eight Bit Computer and Save the World!
How to Make an Eight Bit Computer and Save the World!How to Make an Eight Bit Computer and Save the World!
How to Make an Eight Bit Computer and Save the World!
 
Ragel talk
Ragel talkRagel talk
Ragel talk
 
A Practical Guide to Connecting Hardware to the Web
A Practical Guide to Connecting Hardware to the WebA Practical Guide to Connecting Hardware to the Web
A Practical Guide to Connecting Hardware to the Web
 
Introdução ao Arduino
Introdução ao ArduinoIntrodução ao Arduino
Introdução ao Arduino
 
Minicurso arduino
Minicurso arduinoMinicurso arduino
Minicurso arduino
 
Incanter Data Sorcery
Incanter Data SorceryIncanter Data Sorcery
Incanter Data Sorcery
 
Rango
RangoRango
Rango
 
Fab.in.a.box - Fab Academy: Machine Design
Fab.in.a.box - Fab Academy: Machine DesignFab.in.a.box - Fab Academy: Machine Design
Fab.in.a.box - Fab Academy: Machine Design
 
The Digital Revolution: Machines that makes
The Digital Revolution: Machines that makesThe Digital Revolution: Machines that makes
The Digital Revolution: Machines that makes
 
Hadoop + Clojure
Hadoop + ClojureHadoop + Clojure
Hadoop + Clojure
 
Hadoop - Simple. Scalable.
Hadoop - Simple. Scalable.Hadoop - Simple. Scalable.
Hadoop - Simple. Scalable.
 
Hadoop and Hive Development at Facebook
Hadoop and Hive Development at FacebookHadoop and Hive Development at Facebook
Hadoop and Hive Development at Facebook
 
Multi-core Parallelization in Clojure - a Case Study
Multi-core Parallelization in Clojure - a Case StudyMulti-core Parallelization in Clojure - a Case Study
Multi-core Parallelization in Clojure - a Case Study
 

Último

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 

Último (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

FUSE (Filesystem in Userspace) on OpenSolaris

  • 1. FUSE (Filesystem in Userspace) on OpenSolaris (2009/119) PSARC Inception Review March 25, 2009 William Krier 1
  • 2. FUSE on OpenSolaris (2009/119) ● What is FUSE ● How FUSE Works ● High Level Design Diagram ● FUSE File System API ● FUSE Protocol Specification ● Security Concerns ● FUSE Mounts ● Privilege Escalation ● Block Device Access ● File System Access Control 2
  • 3. What Is FUSE • FUSE is a framework which makes it possible to implement a filesystem in a userspace program. • Features include: > simple yet comprehensive API > secure mounting by non-root users > multi-threaded operation • Originally developed for Linux and currently runs on 2.4 and 2.6 Linux kernels • Maintained at fuse.sourceforge.net • Ported to FreeBSD (fuse4bsd) and Mac OS X • FUSE library remains the same across platforms 3
  • 4. How FUSE Works • FUSE framework consists of 2 components > FUSE user space library (libfuse.so) – provides framework and exports FUSE API > FUSE kernel module – virtual file system (fusefs) – character device (/dev/fuse) • FUSE kernel module redirects vfs calls to the FUSE library via the FUSE character device • Example FUSE file systems > ntfs-3g > sshfs > davfs 4
  • 5. High Level Design Diagram FUSE Filesystem ls -l /mnt/fuse libfuse libc libc userspace kernel fusefs fusedev fuse module VFS zfs nfsv2 5
  • 6. How FUSE Works (cont.) • FUSE kernel module registers with VFS. • FUSE user space file system will link with FUSE library and provides: > Register file operation methods w/ library – struct fuse_operations – getattr, mknod, create, read, write, readdir, readlink, getdir, mknod, chmod, etc. > Mount point and options • FUSE library calls the mount() system call > filesystem type is “fuse” > filehandle of /dev/fuse passed as option • Filesystem calls are passed to FUSE library which invokes associated fuse operation in FUSE filesystem. 6
  • 7. FUSE File System API • FUSE file systems use the FUSE API specification to implement necessary file system operations > Current version of FUSE API is 2.7 > Interface is classified as Volatile > The API is documented in FUSE_API_Specification.pdf 7
  • 8. FUSE Protocol Specification • Kernel module communicates with FUSE library via the fuse character device > During mount, the library opens /dev/fuse and passes file descriptor to kernel. > The minor device number is associated with mount point via vfsp->vfs_dev • Messages are passed via the FUSE device's read/write methods. • FUSE messages are defined by the FUSE Protocol specification (version 7.8) > Protocol is classified as Project Private > Protocol is documented in FUSE_Protocol_Specification.pdf 8
  • 9. FUSE Security Concerns • Authorization for non-privileged users to perform file system mounts • Privilege level escalation for non-privileged mounts • Access to block devices for non-privileged mounts • File system-specific access control 9
  • 10. FUSE Mounts • FUSE supports non-privileged mounts • Accomplished by adding profile to /etc/security/prof_attr > FUSE File System Management:::Mount and unmount FUSE filesystems:FUSE.html • Consist of a single execution authorization in /etc/security/exec_attr > granting sys_mount privilege to FUSE mount/unmount programs > FUSE File System Management:solaris:cmd:::/usr/bin/fusermount.bin:privs=sys_mount • Profile must be manually added to users by administrator after installation. 10
  • 11. Privilege Escalation DoS Possibilities with Non-privileged Mounts • FUSE file systems are only accessible to the user who mounted file system. > Prevents FUSE file system daemon from having ptrace-like capabilities and > Prevents denial of service for the requesting process (stalling system calls) • Mount option to allow access to other non-root users • Mount option to allow access to root 11
  • 12. Block Device Access • For FUSE file systems that are backed by block device (ie ntfs-3g) • Non-root users must have read/write access to block device for non-privilege mount • Create “fuse” group and add write-allow ACE for specific block device. • Must be done manually by administrator. 12
  • 13. File System Access Control • By default, FUSE leaves all access control to the file system. • Mount option to enable FUSE to enforce access control. > only allows UNIX-style permission checking, bypassing more sophisticated access controls that may be present in the file system. > does not have direct access to file permissions. (only see what file system presents) • Disposition of file ownership varies by file system. > ntfs-3g presents owner as user who mounted fs. > sshfs presents owner as reported by remote host. 13
  • 14. FUSE on OpenSolaris (2009/119) William Krier William.Krier@sun.com 14