Re: RFC: ACLs on fusefs

From: Shawn Webb <shawn.webb_at_hardenedbsd.org>
Date: Sat, 03 Aug 2024 16:00:39 UTC
On Sat, Aug 03, 2024 at 09:03:38AM -0600, Alan Somers wrote:
> On Fri, Aug 2, 2024 at 10:13 PM Jamie Landeg-Jones <jamie@catflap.org> wrote:
> >
> > Alan Somers <asomers@FreeBSD.org> wrote:
> >
> > > TLDR;
> > > how useful would it be if fusefs(4) could support ACLs?
> >
> > I, personally, don't use ACLs generally, so have not missed them on
> > fusefs.
> >
> > However, I do make extensive use of XATTRs, so those are what I've
> > really missed.
> >
> > I didn't know xatrs were now supported - is that a new thing, or maybe
> > the client I use (borgs sshfs implementation) needs to be updated?
> >
> > Cheers, Jamie
> 
> Our fusefs has supported xattrs for a long time.  But the specific
> fuse file system needs support too.  Looking right now, I don't see
> any support in sysutils/fusefs-sshfs .

In fact, I have a (significantly buggy) proof-of-concept fusefs server
that stores file payload data as extended attributes. Since the tar
file format supports extended attributes, this makes data exfiltration
somewhat easier.

Though, I suppose, since my proof-of-concept is buggy, using my
solution would make data exfil somewhat more difficult. ;-)

Hopefully someday, I'll have the time to finish the PoC and make it
usable for production.

PoC code: https://git.hardenedbsd.org/shawn.webb/altfs

Thanks,

-- 
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc