FS#9748 - Users can't mount ntfs partitions anymore with ntfs-3g >=1.2216

Attached to Project: Arch Linux
Opened by Carlo Bersani (carlocci) - Sunday, 02 March 2008, 23:11 GMT
Last edited by Thomas Bächler (brain0) - Saturday, 15 March 2008, 10:07 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Thomas Bächler (brain0)
Architecture All
Severity Medium
Priority Normal
Reported Version 2007.08-2
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
The last version of ntfs-3g checks if /bin/ntfs-3g is setuid/setgid root and deny mounting partitions to users.

Additional info:
* package version(s) ntfs-3g >=1.2216

Steps to reproduce:
carlocci /bin $ mount /media/Volume/
Mount is denied because setuid and setgid root ntfs-3g is insecure with the
external FUSE library. Either remove the setuid/setgid bit from the binary
or rebuild NTFS-3G with integrated FUSE support and make it setuid root.
Please see more information at http://ntfs-3g.org/support.html#unprivileged

Solution:
You have to remove the "--with-fuse=external" parameter at configure time.
This will compile ntfs-3g with an internal stripped down version of FUSE, which fix a security issue, which is kind of cool as you won't need the FUSE userspace package, which is kind of ugly as you will have some redundancy if you have other FUSE packages.

More information:
http://bbs.archlinux.org/viewtopic.php?id=44844
This task depends upon

Closed by  Thomas Bächler (brain0)
Saturday, 15 March 2008, 10:07 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed in testing version.
Comment by Carlo Bersani (carlocci) - Monday, 03 March 2008, 10:57 GMT
It looks like there is a bug with ntfs-3g 1.2216 which prevents me and some other users to mount ntfs partitions as users anyway.
You can read about this here: http://forum.ntfs-3g.org/viewtopic.php?t=801

I will downgrade in the mean time as my priority is usability over security issues.
Comment by Lukas Miczka (cpu) - Monday, 03 March 2008, 14:22 GMT
Here how it works for me:

1. rebuild ntfs-3g from AUR without option "--with-fuse=external"
2. update package
3. create fuse.conf in /etc and put "user_allow_other"
4. add user to group disk
5. in KDE just unselect "mount as user" in device properties (mounting tab)

So anyway I think fuse package should be rebuilded to use internal fuse (remove fuse dependency) and there should be additional fuse.conf in /etc - http://fuse.sourceforge.net/wiki/index.php/fuse.conf <- here is sample
Comment by Lukas Miczka (cpu) - Monday, 03 March 2008, 14:30 GMT
User doesn't have to be in disk group - optical and storage groups are enough - conclusion - point 4 is not needed.

So simply there's missing fuse.conf either in fuse or ntfs-3g but booth this packages should provide such config as ntfs-3g can exist without fuse package and use it's internal one.
Comment by Thomas Bächler (brain0) - Wednesday, 05 March 2008, 23:45 GMT
I won't build ntfs-3g with internal fuse. If there is a bug in fuse, it should be fixed in fuse, not in every application that uses it.
Comment by Thomas Bächler (brain0) - Saturday, 15 March 2008, 10:06 GMT
I read more on this and (contrary to my last statement) will build ntfs-3g with internal fuse.

Loading...