Using the ntfs-3g driver with the internal fuse now integrated

berbae · 2008-03-02 22:48:41

Since release >1.1120 there is a "built-in FUSE support by using a stripped down, integrated FUSE library" in the ntfs-3g driver.
I read that a potential security issue was fixed in the last 1.2216 release, but seemingly only while using the integrated fuse library :
from http://www.ntfs-3g.org/releases.html

# Fix: setuid-root ntfs-3g had a local root exploit and other security problems. From now on unprivileged mounts of block devices are possible only with using the integrated FUSE library (default) which has no known security problem.

I decided to try this option and I re-built the package without the fuse dependency and without the '--with-fuse=external' option.
It works without problem and I even removed the fuse package entirely, because it was installed only as a dependency for ntfs-3g.

This post is just for information and to confirm that the fuse package is not required any more for the ntfs-3g driver, and that presently the integrated fuse library could be safer to use than the external one in some cases.
It's not a big issue though.

Last edited by berbae (2008-03-02 23:02:57)

carlocci · 2008-03-02 23:10:26

Thank you for your post!

Name : ntfs-3g
Version : 1.2216-1

carlocci /bin  $  mount /media/Volume/
Mount is denied because setuid and setgid root ntfs-3g is insecure with the
external FUSE library. Either remove the setuid/setgid bit from the binary
or rebuild NTFS-3G with integrated FUSE support and make it setuid root.
Please see more information at http://ntfs-3g.org/support.html#unprivileged

Thanks God there are these guys deciding for me about security policies... damn I'm pissed.

edit:
I'm having some problems with permission, it seems.
I PKGBUILDed ntfs-3g from abs in order to be able to mount as normal user but

carlocci ~  $  mount /media/Volume/
Error opening partition device: Permission denied
Failed to mount '/dev/sde1': Permission denied
Please check the volume and the ntfs-3g binary permissions,
and the mounting user ID. More explanation is provided at
http://ntfs-3g.org/support.html#unprivileged
carlocci /bin  $  
carlocci /bin  $  
carlocci /bin  $  ls -l /bin/ntfs-3g
-rwsr-xr-x 1 root root 36588  3 mar 00:15 /bin/ntfs-3g
carlocci /bin  $  
carlocci /bin  $  
carlocci /bin  $  ls -l /dev/sd*
brw-rw---- 1 root disk 8,  0  3 mar 00:11 /dev/sda
brw-rw---- 1 root disk 8,  1  3 mar 00:11 /dev/sda1
brw-rw---- 1 root disk 8,  2  3 mar 00:11 /dev/sda2
brw-rw---- 1 root disk 8,  3  2 mar 23:11 /dev/sda3
brw-rw---- 1 root disk 8,  4  3 mar 00:11 /dev/sda4
brw-rw---- 1 root disk 8, 16  3 mar 00:11 /dev/sdb
brw-rw---- 1 root disk 8, 17  3 mar 00:11 /dev/sdb1
brw-rw---- 1 root disk 8, 32  3 mar 00:11 /dev/sdc
brw-rw---- 1 root disk 8, 33  3 mar 00:11 /dev/sdc1
brw-rw---- 1 root disk 8, 48  3 mar 00:11 /dev/sdd
brw-rw---- 1 root disk 8, 49  3 mar 00:11 /dev/sdd1
brw-rw---- 1 root disk 8, 50  3 mar 00:11 /dev/sdd2
brw-rw---- 1 root disk 8, 64  3 mar 00:11 /dev/sde
brw-rw---- 1 root disk 8, 65  3 mar 00:38 /dev/sde1
brw-rw---- 1 root disk 8, 80  3 mar 00:11 /dev/sdf
brw-rw---- 1 root disk 8, 81  3 mar 00:11 /dev/sdf1
carlocci /bin  $  
carlocci /bin  $  
carlocci /bin  $  groups
tty disk wheel locate games dbus hal network video audio optical floppy storage power users

mmh!
Suggestions are welcome.

Last edited by carlocci (2008-03-02 23:51:43)

berbae · 2008-03-03 09:40:53

Are you a member of the disk group ?
and did you make the ntfs-3g binary setuid root, after you compiled/installed it from abs ?
Just to be sure.

carlocci · 2008-03-03 10:47:38

I am a member of the disk group

carlocci /bin  $  groups
tty disk wheel locate games dbus hal network video audio optical floppy storage power users

ntfs-3g is +s

carlocci /bin  $  ls -l /bin/ntfs-3g
-rwsr-xr-x 1 root root 36588  3 mar 00:15 /bin/ntfs-3g

It's funny because ntfsmount works.

edit:
it's a probably a ntfs-3g bug:
http://forum.ntfs-3g.org/viewtopic.php?t=801

Last edited by carlocci (2008-03-03 11:14:46)

cpu · 2008-03-03 11:05:38

With latest ntfs-3g I can't mount any USB mass storage device - even mounting iPod gives me this error about ntfs-3g, mounting SDHC cards (FAT32) give this too - meybe someone have solution for this? I'm in storage and optical group - inserting cd/dvd works fine with hal...

carlocci · 2008-03-03 12:43:49

I created a bug report about ntfs-3g problems with users mounting partitions.
http://bugs.archlinux.org/task/9748?str … nt%5B0%5D=

cpu · 2008-03-03 14:13:15

Here how it works for me:

1. rebuild ntfs-3g from AUR without option "--with-fuse=external"
2. update package
3. create fuse.conf in /etc and put "user_allow_other"
4. in KDE just unselect "mount as user" in device properties (mounting tab)

Works for normal user

Thanks carlocci

Edit:
User doesn't have to be in disk group - optical and storage are enough

So simply there's missing fuse.conf either in fuse or ntfs-3g but booth this packages should provide such config as ntfs-3g can exist without fuse package and use it's internal one.

Last edited by cpu (2008-03-03 14:28:49)

berbae · 2008-03-03 14:47:30

To carlocci
szaka the ntfs-3g Lead Developer doesn't agree with you that it is a ntfs-3g bug.
He wrote that three conditions must be satisfied to be able to do unprivileged block device mounts.
It works now only if :
1) NTFS-3G is compiled with integrated FUSE support
2) the ntfs-3g binary is set to setuid-root
3) the user has access rights to the volume and mount point.

So are you sure you have the rights to access the /media/Volume/ mount point ?

To cpu
I can use a FAT32 formated USB memory stick. It doesn't use the ntfs-3g driver to be mounted.
If your USB mass storage device is ntfs formated and you want to use it as an unprivileged user, do you fulfill the three conditions above ?

cpu · 2008-03-03 14:52:24

@berbae - everything works now, thanks for interest, ntfs-3g issue fixed as well.

carlocci · 2008-03-03 16:34:01

berbae wrote:

To carlocci
szaka the ntfs-3g Lead Developer doesn't agree with you that it is a ntfs-3g bug.
He wrote that three conditions must be satisfied to be able to do unprivileged block device mounts.
It works now only if :
1) NTFS-3G is compiled with integrated FUSE support

The PKGBUILD I created the package with

# $Id: PKGBUILD,v 1.21 2008/02/26 14:45:14 thomas Exp $
# Maintainer: Thomas Baechler <thomas@archlinux.org>

pkgname=ntfs-3g
pkgver=1.2216
pkgrel=1
pkgdesc="Third generation Linux NTFS driver"
arch=(i686 x86_64)
url="http://www.ntfs-3g.org"
license=('GPL')
depends=()
makedepends=('pkgconfig')
source=(http://www.ntfs-3g.org/${pkgname}-${pkgver}.tgz)
md5sums=('d1664636d38e4ce8eb2af1f09bc5a15d')
options=(!libtool)

build() {
  cd ${startdir}/src/${pkgname}-${pkgver}
  ac_cv_path_LDCONFIG=/bin/true ./configure --prefix=/usr
  make || return 1
  make DESTDIR=$startdir/pkg install
}

2) the ntfs-3g binary is set to setuid-root

carlocci ~/abs/ntfs-3g  $  ls -l /bin/ntfs-3g
-rwsr-xr-x 1 root root 36588  3 mar 16:39 /bin/ntfs-3g

3) the user has access rights to the volume and mount point.
So are you sure you have the rights to access the /media/Volume/ mount point ?

I think so since

carlocci ~/abs/ntfs-3g  $  ls -ld /media/Volume/
drwxrwxr-x 2 root storage 4096  5 feb 16:28 /media/Volume/
carlocci ~/abs/ntfs-3g  $  ls -l /dev/sde* /dev/fuse
crw-rw-rw- 1 root root 10, 229  3 mar 16:33 /dev/fuse
brw-rw---- 1 root disk  8,  64  3 mar 11:03 /dev/sde
brw-rw---- 1 root disk  8,  65  3 mar 11:03 /dev/sde1
carlocci ~/abs/ntfs-3g  $  groups
tty disk wheel locate games dbus hal network video audio optical floppy storage power users

What am I missing?

Of course I created fuse.conf

carlocci ~/abs/ntfs-3g  $  cat /etc/fuse.conf
user_allow_other

edit:
Alright I understood I can mount. But I have to set my default group (I used sg) to either disk or storage, and chmod o+w /dev/sde1 (if I set my default group to be storage) or /media/Volume (if I set my default group to be disk).

This way others can write anything to either the partition or the mount directory, which I don't think is good.
Even if I "chown root:disk" the dirs in /media/ I wouldn't be able to mount them from KDE, unless I set my default group to disk!

I don't understand why my default group is so important to ntfs-3g.
Thanks for your insights.

here is my fstab line concerning sde1

 
# /dev/sde1     label Volume
/dev/disk/by-uuid/68941CD6941CA918   /media/Volume   ntfs-3g    users,noauto,uid=1000,gid=95,fmask=0113,dmask=0002,nls=utf8     0       0

uid=1000 is carlocci
gid=95 should be storage

berbae · 2008-03-03 17:21:23

I see that you have the 'users,noauto' options in your /etc/fstab file.
I think that doesn't work with the ntfs-3g driver, which needs to be used instead with the setuid-root to give unprivileged users the right to mount block devices with it.
from http://ntfs-3g.org/support.html#unprivileged

Why don't the 'user' and 'users' options work in /etc/fstab?
The 'mount' command doesn't invoke the ntfs-3g binary with the needed privilege after it has checked and approved the user is entitled to mount a given device on a specified mount point, hereby the user can't open the device he got the approval in /etc/fstab. This is a problem in the 'mount' utility.
Solution: Use at least NTFS-3G 1.2216 with setuid-root set and make sure the user has access rights to the volume and mount point.

So if I were you I would remove the 'users,noauto' options from the ntfs-3g line in the /etc/fstab file.

cpu · 2008-03-03 17:29:22

@carlocci try to remove your user from disk group and mount from KDE your NTFS volume but deselect "mount as user" option in properites of volume which you want to mount - this works for me - now I can mount NTFS volume as normal pendrive and I'm not in disk group...

carlocci · 2008-03-03 19:48:31

berbae wrote:

I see that you have the 'users,noauto' options in your /etc/fstab file.
I think that doesn't work with the ntfs-3g driver, which needs to be used instead with the setuid-root to give unprivileged users the right to mount block devices with it.
Use at least NTFS-3G 1.2216 with setuid-root set and make sure the user has access rights to the volume and mount point.
So if I were you I would remove the 'users,noauto' options from the ntfs-3g line in the /etc/fstab file.

I think that was to be read as "the users option is not enough: it's just a parameter for mount since you can only mount if ntfs-3g is o+s".
In fact removing users from my fstab makes mount complain:

carlocci /media  $  LC_ALL="C" mount Volume/
mount: only root can mount /dev/sde1 on /media/Volume

As for the noauto option, I think I will have to remove it and have all my drives mounted automatically if I don't find any solution (even though I'd like to know what's wrong)

cpu wrote:

@carlocci try to remove your user from disk group and mount from KDE your NTFS volume but deselect "mount as user" option

I tried that alchemy: it doesn't work.

I think it's clear it's a permission problem.

Maybe if cpu or berbae posted their fstab and permissions and groups for /media/ and /dev/fuse and /dev/partitions (one device is enough), I could spot the difference.

Thank you for your help, it's greatly appreciated

cpu · 2008-03-03 20:29:38

Hmm carlocci but there's info on ntfs-3g site that mount won't work for normal user:

The 'mount' command doesn't invoke the ntfs-3g binary with the needed privilege after it has checked and approved the user is entitled to mount a given device on a specified mount point, hereby the user can't open the device he got the approval in /etc/fstab. This is a problem in the 'mount' utility.

Have you tried mounting by konqueror ? Like normal pendrive or SD card or camera... just unselect in properites "mount as user"

My fstab:

none                    /dev/pts        devpts  defaults                0 0
none                    /dev/shm        tmpfs   defaults                0 0


# /dev/cdrom            /mnt/cdrom      iso9660 ro,user,noauto,unhide   0 0
# /dev/dvd              /mnt/dvd        udf     ro,user,noauto,unhide   0 0
/dev/sda3               /boot           ext2    defaults,noatime        0 1
/dev/sda5               swap            swap    sw                      0 0
/dev/sda6               /               ext3    defaults,noatime        0 1
/dev/sda7               /home           ext3    defaults,noatime        0 1

/media owner root:root

crw-rw-rw- 1 root root 10, 229 mar  3 21:59 /dev/fuse

brw-rw---- 1 root disk 8, 7 mar  3 21:59 /dev/sda7

cpu ~  $  groups
wheel games audio optical storage camera users cpu vboxusers

Last edited by cpu (2008-03-03 21:10:19)

berbae · 2008-03-03 22:42:39

carlocci wrote
I think that was to be read as "the users option is not enough: it's just a parameter for mount since you can only mount if ntfs-3g is o+s".

I agree that it can be understood like that, and it seems to be confirmed by your test without the 'users' option.
Apparently 'mount' needs it to call the ntfs-3g driver as a user, but the ntfs-3g driver needs to be setuid root to work in that way.
I'll give you infos on my configuration, but I don't mount my ntfs partition as a user, but at boot time.
So I don't have the ntfs-3d binary setuid root.

From http://ntfs-3g.org/support.html#unprivileged
Please note that using setuid-root can result unforeseen privilege escalation and its usage is discouraged.

in /etc/fstab I have :

/dev/hda1  /windows    ntfs-3g    silent,fmask=0133,dmask=0022,locale=fr_FR@euro,uid=1000,gid=100 0 0

I have these permissions :

drwxr-xr-x 2 root root 4096 mar 3 09:22 /media
crw-rw---- 1 root root 10, 229 mar 3 10:21 /dev/fuse
brw-rw---- 1 root disk 3, 1 mar 3 10:21 /dev/hda1
drwxr-xr-x 1 berbae users 4096 fév 17 2007 /windows/
-rwxr-xr-x 1 root root 35980 mar 1 17:32 /bin/ntfs-3g

I'm member of the groups :

tty wheel log video audio optical floppy storage camera users

The ntfs-3g driver is compiled with the internal fuse library and I un-installed the Arch fuse package.

Last edited by berbae (2008-03-03 22:49:31)

carlocci · 2008-03-04 16:51:16

Thank you both!
Removing the partition entry from /etc/fstab and subsequently mounting through HAL (the way cpu is mounting his partitions) works flawlessly. So it looks like it's a problem with mount, as it looks like it always had problems with permissions

The 'mount' command doesn't invoke the ntfs-3g binary with the needed privilege after it has checked and approved the user is entitled to mount a given device on a specified mount point, hereby the user can't open the device he got the approval in /etc/fstab. This is a problem in the 'mount' utility.

I'm unsatisfied by this answer and I will research some more; yet I have a partial working solution, ie mounting through HAL or mounting at boot.
Thank you both again for your support.

brebs · 2008-03-04 16:55:46

Check fuse permissions kernel bug

colbert · 2008-03-08 19:56:31

I'm following carlocci's method and got ntfs-3g from ABS, ran makepkg with the following PKGBUILD:

# $Id: PKGBUILD,v 1.21 2008/02/26 14:45:14 thomas Exp $
# Maintainer: Thomas Baechler <thomas@archlinux.org>

pkgname=ntfs-3g
pkgver=1.2216
pkgrel=1
pkgdesc="Third generation Linux NTFS driver"
arch=(i686 x86_64)
url="http://www.ntfs-3g.org"
license=('GPL')
depends=('')
makedepends=('pkgconfig')
source=(http://www.ntfs-3g.org/${pkgname}-${pkgver}.tgz)
md5sums=('d1664636d38e4ce8eb2af1f09bc5a15d')
options=(!libtool)

build() {
  cd ${startdir}/src/${pkgname}-${pkgver}
  ac_cv_path_LDCONFIG=/bin/true ./configure --prefix=/usr
  make || return 1
  make DESTDIR=$startdir/pkg install
}

It compiles fine but then I get this on installing it:

~/installs/ntfs-3g # pacaur ntfs-3g-1.2216-1-i686.pkg.tar.gz 
loading package data...
checking dependencies...
error: failed to prepare transaction (could not satisfy dependencies)
:: ntfs-3g: requires

That's all it does

berbae · 2008-03-08 21:27:43

You have to delete that line completely :
depends=('')

colbert · 2008-03-08 22:03:20

Thanks berbae. I wonder if my binary is set properly, I noticed it is "-rwx" instead of "-rws" in carlocci's post far above:

~/installs/ntfs-3g # ls -l /bin/ntfs-3g
-rwxr-xr-x 1 root root 35980 2008-03-08 16:51 /bin/ntfs-3g

carlocci · 2008-03-08 23:13:02

colbert wrote:

Thanks berbae. I wonder if my binary is set properly, I noticed it is "-rwx" instead of "-rws" in carlocci's post far above:

That's the suid bit: it means you run that binary file as if you were the owner, which is root in this case.
You have to "chmod +s /bin/ntfs-3g" as root.
I hope this helps.

carlocci · 2008-03-08 23:27:12

brebs wrote:

Check fuse permissions kernel bug

Thank you for your reply!
Sadly it looks like the kernel I'm using now has been patched, as I can find the patch inside my abs directory:

$  cat /var/abs/core/base/kernel26/fuse-2.6.24.patch
From: Miklos Szeredi <mszer...@suse.cz>

Index: linux/fs/fuse/dir.c
===================================================================
--- linux.orig/fs/fuse/dir.c    2008-02-15 10:46:06.000000000 +0100
+++ linux/fs/fuse/dir.c 2008-02-15 11:05:46.000000000 +0100
@@ -906,7 +906,7 @@ static int fuse_permission(struct inode
        }

        if (fc->flags & FUSE_DEFAULT_PERMISSIONS) {
-               int err = generic_permission(inode, mask, NULL);
+               err = generic_permission(inode, mask, NULL);

                /* If permission is denied, try to refresh file
                   attributes.  This is also needed, because the root

Even though I haven't really tested it, nor I know how to check this without recompiling it.
I fear I will have to recompile the kernel just to be sure.

colbert · 2008-03-08 23:35:20

Okay, I've installed ntfs-3g as instructed, I still cannot mount my USB NTFS partition. It's /dev/sdd1, it creates a /media/disk everytime but it doesn't allow me to browse it. If I change ownership and permissions of /media/disk while it's mounted, I can browse it but it never lets me write to it, even with 777 and my user being owner. Then if I unmount it and mount it again, it reverts of course to default permission/ownership of:

drwx------  1 root  root   4096 2008-03-07 23:24 disk

I can't get this to work

berbae · 2008-03-09 13:58:08

colbert wrote:

Okay, I've installed ntfs-3g as instructed, I still cannot mount my USB NTFS partition.
...
I can't get this to work

Since I don't use the carlocci's method, I cannot help you with it. I've not really understood what it consists of exactly.
I mount my ntfs partition at boot time as explained above, so if you want to try that, I could give details if you need them.

colbert · 2008-03-09 19:38:21

Yes I have my XP NTFS partition mounted on boot just fine. I'm having challenges with this sata drive that is in an enclosure externally connected via USB. It's not a big deal for me, I can easily format it to FAT, it's just a tiny 20gb partition that I keep that way in case I need to get on a Windows box and transfer data or something. I just refuse to give up, I know this can work!

Arch Linux

#1 2008-03-02 22:48:41

Using the ntfs-3g driver with the internal fuse now integrated

#2 2008-03-02 23:10:26

Re: Using the ntfs-3g driver with the internal fuse now integrated

#3 2008-03-03 09:40:53

Re: Using the ntfs-3g driver with the internal fuse now integrated

#4 2008-03-03 10:47:38

Re: Using the ntfs-3g driver with the internal fuse now integrated

#5 2008-03-03 11:05:38

Re: Using the ntfs-3g driver with the internal fuse now integrated

#6 2008-03-03 12:43:49

Re: Using the ntfs-3g driver with the internal fuse now integrated

#7 2008-03-03 14:13:15

Re: Using the ntfs-3g driver with the internal fuse now integrated

#8 2008-03-03 14:47:30

Re: Using the ntfs-3g driver with the internal fuse now integrated

#9 2008-03-03 14:52:24

Re: Using the ntfs-3g driver with the internal fuse now integrated

#10 2008-03-03 16:34:01

Re: Using the ntfs-3g driver with the internal fuse now integrated

#11 2008-03-03 17:21:23

Re: Using the ntfs-3g driver with the internal fuse now integrated

#12 2008-03-03 17:29:22

Re: Using the ntfs-3g driver with the internal fuse now integrated

#13 2008-03-03 19:48:31

Re: Using the ntfs-3g driver with the internal fuse now integrated

#14 2008-03-03 20:29:38

Re: Using the ntfs-3g driver with the internal fuse now integrated

#15 2008-03-03 22:42:39

Re: Using the ntfs-3g driver with the internal fuse now integrated

#16 2008-03-04 16:51:16

Re: Using the ntfs-3g driver with the internal fuse now integrated

#17 2008-03-04 16:55:46

Re: Using the ntfs-3g driver with the internal fuse now integrated

#18 2008-03-08 19:56:31

Re: Using the ntfs-3g driver with the internal fuse now integrated

#19 2008-03-08 21:27:43

Re: Using the ntfs-3g driver with the internal fuse now integrated

#20 2008-03-08 22:03:20

Re: Using the ntfs-3g driver with the internal fuse now integrated

#21 2008-03-08 23:13:02

Re: Using the ntfs-3g driver with the internal fuse now integrated

#22 2008-03-08 23:27:12

Re: Using the ntfs-3g driver with the internal fuse now integrated

#23 2008-03-08 23:35:20

Re: Using the ntfs-3g driver with the internal fuse now integrated

#24 2008-03-09 13:58:08

Re: Using the ntfs-3g driver with the internal fuse now integrated

#25 2008-03-09 19:38:21

Re: Using the ntfs-3g driver with the internal fuse now integrated

Board footer