Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: Mount Permissions
58 views
Skip to first unread message
Greg Wooledge
Jun 4, 2023, 5:50:07 PM6/4/23
to
On Sun, Jun 04, 2023 at 11:59:21AM -0400, ce wrote:
> I have a mountpoint where all files under it have a group `fuse`.
You need to provide details, or else nobody can help you with anything.
What kind of hardware is this file system on?
What kind of file system is it?
How did you mount it? (Show the command you used, and any output that
it produced.)
What does "mount" with no arguments say about the file system? (Hint:
you can grep for the name of the file system.)
What does the root level of the file system look like in "ls -la"?
What did you EXPECT it to look like?
> I have a mountpoint where all files under it have a group `fuse`.
You need to provide details, or else nobody can help you with anything.
What kind of hardware is this file system on?
What kind of file system is it?
How did you mount it? (Show the command you used, and any output that
it produced.)
What does "mount" with no arguments say about the file system? (Hint:
you can grep for the name of the file system.)
What does the root level of the file system look like in "ls -la"?
What did you EXPECT it to look like?
Greg Wooledge
Jun 5, 2023, 7:30:08 AM6/5/23
to
On Sun, Jun 04, 2023 at 11:00:18PM -0400, ce wrote:
> On 6/4/23 5:46 PM, Greg Wooledge <gr...@wooledge.org> wrote:
> > What kind of hardware is this file system on?
> >
> > What kind of file system is it?
> >
> > How did you mount it? (Show the command you used, and any output that
> > it produced.)
> >
> > What does "mount" with no arguments say about the file system? (Hint:
> > you can grep for the name of the file system.)
> >
> > What does the root level of the file system look like in "ls -la"?
> >
> > What did you EXPECT it to look like?
>
> sid amd64 with btrfs
> On 6/4/23 5:46 PM, Greg Wooledge <gr...@wooledge.org> wrote:
> > What kind of hardware is this file system on?
> >
> > What kind of file system is it?
> >
> > How did you mount it? (Show the command you used, and any output that
> > it produced.)
> >
> > What does "mount" with no arguments say about the file system? (Hint:
> > you can grep for the name of the file system.)
> >
> > What does the root level of the file system look like in "ls -la"?
> >
> > What did you EXPECT it to look like?
>
>
> /etc/fstab:
>
> ```
> LABEL=part2 /mnt/part2 btrfs compress=lzo 0 1
> ```
>
> $ ls -l /mnt/part2
> ```
> drwxr-xr-x 1 me root 34 May 01 00:40 @subvolume
> ```
>
> $ ls -l /mnt/part2/@subvolume
>
> Some entries have user `me` but most entries have user `fuse`.
>
> Idk what mount says it's mounted automatically.
>
> chmod allows changing the group.
>
> Let's see what a reboot does.
OK, thank you for the details. Unfortunately, I know nothing about btrfs,
so I can't provide much help beyond this. I can only address this part:
> Idk what mount says it's mounted automatically.
You can run the command "mount" with no arguments to see the details of
each mounted file system. You don't even have to be root. I don't know
how btrfs subvolumes work, so I don't know whether they appear in the
output of mount, but you could try it and see.
Elena DP
Jun 7, 2023, 5:30:06 AM6/7/23
to
I think you have a partition with filesystem btrfs that uses compression with lzop.
Perhaps inside of it you have a file that is a compressed filesystem (that is fuse:
Filesystem in Userspace
)
what can you see when you type in
$ cd /mnt/part2
$ ls -la
El lun, 5 jun 2023 a las 6:32, ce (<chaose...@outlook.com>) escribió:
On 6/4/23 5:46 PM, Greg Wooledge <gr...@wooledge.org> wrote:
David Wright
Jun 7, 2023, 7:00:05 AM6/7/23
to
On Sun 04 Jun 2023 at 11:59:21 (-0400), ce wrote:
> I have a mountpoint where all files under it have a group `fuse`.
>
> This is strange to me.
> I have a mountpoint where all files under it have a group `fuse`.
>
>
> As far as I can remember, Ubuntu doesn't do this.
Is this a system that's been around since wheezy? Up until then,
Debian had a system group called fuse, but this was unnecessary
from jessie onwards. I'd guess it had never been cleaned up on
your system. For details, see:
https://wiki.debian.org/SystemGroups
Cheers,
David.
Roger Price
Jun 8, 2023, 8:10:06 AM6/8/23
to
I use the import program provided by Debian 11 (bullseye) to grab parts of the
screen. This worked well but I was having difficulty remembering that "import"
means "screen-grab". So as root I set up the soft link
ln -s /usr/bin/import /usr/bin/screen-grab
Now, whenever I try to run screen-grab or import or import-im6.q16 I get the
error message:
import-im6.q16: attempt to perform an operation not allowed by the security
policy `PS' @ error/constitute.c/IsCoderAuthorized/421.
So I removed the link, but calls to import still produce the error message.
How can I get back to the original behaviour? Where should I start
looking?
Roger
screen. This worked well but I was having difficulty remembering that "import"
means "screen-grab". So as root I set up the soft link
ln -s /usr/bin/import /usr/bin/screen-grab
Now, whenever I try to run screen-grab or import or import-im6.q16 I get the
error message:
import-im6.q16: attempt to perform an operation not allowed by the security
policy `PS' @ error/constitute.c/IsCoderAuthorized/421.
So I removed the link, but calls to import still produce the error message.
How can I get back to the original behaviour? Where should I start
looking?
Roger
Greg Wooledge
Jun 8, 2023, 8:30:09 AM6/8/23
to
On Thu, Jun 08, 2023 at 02:06:12PM +0200, Roger Price wrote:
> I use the import program provided by Debian 11 (bullseye) to grab parts of
> the screen. This worked well but I was having difficulty remembering that
> "import" means "screen-grab". So as root I set up the soft link
>
> ln -s /usr/bin/import /usr/bin/screen-grab
>
> Now, whenever I try to run screen-grab or import or import-im6.q16 I get the
> error message:
>
> import-im6.q16: attempt to perform an operation not allowed by the security
> policy `PS' @ error/constitute.c/IsCoderAuthorized/421.
>
> So I removed the link, but calls to import still produce the error message.
Creating that symlink has nothing to do with this problem... whatever
> I use the import program provided by Debian 11 (bullseye) to grab parts of
> the screen. This worked well but I was having difficulty remembering that
> "import" means "screen-grab". So as root I set up the soft link
>
> ln -s /usr/bin/import /usr/bin/screen-grab
>
> Now, whenever I try to run screen-grab or import or import-im6.q16 I get the
> error message:
>
> import-im6.q16: attempt to perform an operation not allowed by the security
> policy `PS' @ error/constitute.c/IsCoderAuthorized/421.
>
> So I removed the link, but calls to import still produce the error message.
this problem is.
I tried googling the error message, and I get extremely confusing results,
but as near as I can tell, the fundamental issue seems to be a name
conflict between the iport(1) shell command (/usr/bin/import) and the
Python "import" command for using modules.
Are you trying to run import from inside a python interpreter, or a
python virtual env? If so, that might be part of it. Otherwise, I'm
at a loss.
Thomas Schmitt
Jun 8, 2023, 8:50:06 AM6/8/23
to
Hi,
Roger Price wrote:
> > import-im6.q16: attempt to perform an operation not allowed by the security
> > policy `PS' @ error/constitute.c/IsCoderAuthorized/421.
type of image to be created.
I see matching reports about "policy `PDF'" pointing to file
/etc/ImageMagick-6/policy.xml
which might contain lines like
<policy domain="coder" rights="none" pattern="PS" />
See for example
https://stackoverflow.com/questions/52998331/imagemagick-security-policy-pdf-blocking-conversion
https://suay.site/?p=2369&PageSpeed=noscript
Have a nice day :)
Thomas
Roger Price wrote:
> > import-im6.q16: attempt to perform an operation not allowed by the security
> > policy `PS' @ error/constitute.c/IsCoderAuthorized/421.
Greg Wooledge wrote:
> I tried googling the error message, and I get extremely confusing results,
> but as near as I can tell, the fundamental issue seems to be a name
> conflict between the iport(1) shell command (/usr/bin/import) and the
> Python "import" command for using modules.
Google gives me the impression that the error message has to do with the
> I tried googling the error message, and I get extremely confusing results,
> but as near as I can tell, the fundamental issue seems to be a name
> conflict between the iport(1) shell command (/usr/bin/import) and the
> Python "import" command for using modules.
type of image to be created.
I see matching reports about "policy `PDF'" pointing to file
/etc/ImageMagick-6/policy.xml
which might contain lines like
<policy domain="coder" rights="none" pattern="PS" />
See for example
https://stackoverflow.com/questions/52998331/imagemagick-security-policy-pdf-blocking-conversion
https://suay.site/?p=2369&PageSpeed=noscript
Have a nice day :)
Thomas
Greg Wooledge
Jun 8, 2023, 9:00:06 AM6/8/23
to
results than I did.
Roger, what is the full command that you used? When I tested with
"import foo.png" it worked as expected.
Thomas Schmitt
Jun 8, 2023, 10:00:07 AM6/8/23
to
Hi,
Greg Wooledge wrote:
> You must have got a completely different set of Google results than I did.
That's a known effect from Google watching people digging in the web.
But maybe this time it's only the search string. I entered
attempt to perform an operation not allowed by the security policy `PS'
At the same input now i get indeed a link to a Python problem that caused
Imagemagick's "import" to be run by mistake and to issue the policy
message. But the vast majority still points to the configuration in
/etc/ImageMagick-[67]/policy.xml
This here looks like a quite educated description of the PS refusal:
https://en.linuxportal.info/tutorials/troubleshooting/how-to-fix-errors-from-imagemagick-imagick-conversion-system-security-policy
ending with
"The cause of the problem
[...] A vulnerability was found in the program, which was first
remedied by disabling access to the file formats in question in the
config file above. Later, the bug was fixed correctly, a security
update was released, but the security rules were not restored.
[...]
https://security-tracker.debian.org/tracker/source-package/imagemagick
[...] CVE-2019-13300, CVE-2019-13304, CVE-2019-13306, CVE-2019-13307,
CVE-2019-15140, CVE-2019-19948"
Greg Wooledge wrote:
> You must have got a completely different set of Google results than I did.
But maybe this time it's only the search string. I entered
attempt to perform an operation not allowed by the security policy `PS'
Imagemagick's "import" to be run by mistake and to issue the policy
message. But the vast majority still points to the configuration in
/etc/ImageMagick-[67]/policy.xml
This here looks like a quite educated description of the PS refusal:
https://en.linuxportal.info/tutorials/troubleshooting/how-to-fix-errors-from-imagemagick-imagick-conversion-system-security-policy
ending with
"The cause of the problem
[...] A vulnerability was found in the program, which was first
remedied by disabling access to the file formats in question in the
config file above. Later, the bug was fixed correctly, a security
update was released, but the security rules were not restored.
[...]
https://security-tracker.debian.org/tracker/source-package/imagemagick
[...] CVE-2019-13300, CVE-2019-13304, CVE-2019-13306, CVE-2019-13307,
CVE-2019-15140, CVE-2019-19948"
Roger Price
Jun 8, 2023, 11:10:05 AM6/8/23
to
On Thu, 8 Jun 2023, Greg Wooledge wrote:
> Roger, what is the full command that you used? When I tested with
> "import foo.png" it worked as expected.
I used to type "import foo.jpg" but got into the habit of typing "import
> Roger, what is the full command that you used? When I tested with
> "import foo.png" it worked as expected.
/tmp/foo" which produces the error message.
So this afternoon I went back to typing "import foo.jpg" and this works
correctly, exactly as expected. Thanks. Roger
PS I would have expected a PostScript file by default but now that I know that I
must specify an acceptable image type, I don't complain. The man page says “By
default, 'file' is written in the Postscript image format. To specify a
particular image format, precede the filename with an image format name and a
colon (i.e. ps:image) or specify the image type as the filename suffix (i.e.
image.ps).”
Roger Price
Jun 8, 2023, 11:20:05 AM6/8/23
to
On Thu, 8 Jun 2023, Greg Wooledge wrote:
> Roger, what is the full command that you used? When I tested with
> "import foo.png" it worked as expected.
Previously I used to type "import foo.jpg" but got into the habit of typing
> "import foo.png" it worked as expected.
"import /tmp/foo" which I now understand produces the error message.
Greg Wooledge
Jun 8, 2023, 12:00:06 PM6/8/23
to
On Thu, Jun 08, 2023 at 04:51:44PM +0200, Roger Price wrote:
> I used to type "import foo.jpg" but got into the habit of typing "import
> /tmp/foo" which produces the error message.
>
> So this afternoon I went back to typing "import foo.jpg" and this works
> correctly, exactly as expected. Thanks. Roger
>
> PS I would have expected a PostScript file by default but now that I know
> that I must specify an acceptable image type, I don't complain. The man
> page says “By default, 'file' is written in the Postscript image format.
Ahhh. Now it all makes sense. The default PostScript image type is
> I used to type "import foo.jpg" but got into the habit of typing "import
> /tmp/foo" which produces the error message.
>
> So this afternoon I went back to typing "import foo.jpg" and this works
> correctly, exactly as expected. Thanks. Roger
>
> PS I would have expected a PostScript file by default but now that I know
> that I must specify an acceptable image type, I don't complain. The man
> page says “By default, 'file' is written in the Postscript image format.
not allowed by policy, so you get this error if you don't specify any
image type, either implicitly with a filename dot-extension, or
explicitly with some ImageMagick command option.
David Wright
Jun 9, 2023, 3:40:07 AM6/9/23
to
[3rd attempt; first two flagged as spam]
On Thu 08 Jun 2023 at 17:11:01 (+0200), Roger Price wrote:
> On Thu, 8 Jun 2023, Greg Wooledge wrote:
>
> > Roger, what is the full command that you used? When I tested with
> > "import foo.png" it worked as expected.
One might assume that that's because .png is an allowed filetype:
Rules are processed in order. Here we want to restrict ImageMagick to only
read or write a small subset of proven web-safe image types:
[ … ] domain="coder" rights="read|write" pattern="{GIF,JPEG,PNG,WEBP}"
> Previously I used to type "import foo.jpg" but got into the habit of
> typing "import /tmp/foo" which I now understand produces the error
> message.
>
> So this afternoon I went back to typing "import foo.jpg" and this
> works correctly, exactly as expected. Thanks. Roger
>
> PS I would have expected a PostScript file by default but now that I
> know that I must specify an acceptable image type, I don't complain.
> The man page says “By default, 'file' is written in the Postscript
> image format. To specify a particular image format, precede the
> filename with an image format name and a colon (i.e. ps:image) or
> specify the image type as the filename suffix (i.e. image.ps).”
That doesn't work on my bullseye, on account of:
domain="coder" rights="none" pattern="PS"
The first thing I do after installing imagemagick is to comment
out the corresponding line for PDF, very near the end of the file
/etc/ImageMagick-6/policy.xml. (Same for buster.) I haven't used
PS files for many years.
Cheers,
David.
On Thu 08 Jun 2023 at 17:11:01 (+0200), Roger Price wrote:
> On Thu, 8 Jun 2023, Greg Wooledge wrote:
>
> > Roger, what is the full command that you used? When I tested with
> > "import foo.png" it worked as expected.
Rules are processed in order. Here we want to restrict ImageMagick to only
read or write a small subset of proven web-safe image types:
[ … ] domain="coder" rights="read|write" pattern="{GIF,JPEG,PNG,WEBP}"
> Previously I used to type "import foo.jpg" but got into the habit of
> typing "import /tmp/foo" which I now understand produces the error
> message.
>
> So this afternoon I went back to typing "import foo.jpg" and this
> works correctly, exactly as expected. Thanks. Roger
>
> PS I would have expected a PostScript file by default but now that I
> know that I must specify an acceptable image type, I don't complain.
> The man page says “By default, 'file' is written in the Postscript
> image format. To specify a particular image format, precede the
> filename with an image format name and a colon (i.e. ps:image) or
> specify the image type as the filename suffix (i.e. image.ps).”
domain="coder" rights="none" pattern="PS"
out the corresponding line for PDF, very near the end of the file
/etc/ImageMagick-6/policy.xml. (Same for buster.) I haven't used
PS files for many years.
Cheers,
David.
0 new messages