Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp1042931lqo; Sat, 11 May 2024 05:16:21 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVWPY+U5Oz0ZgURkp9r6wwJoT/PsJ2WywXCeqNf6zG0OJfLD3XGXIHcNor6Bb3iRwSrCTr0DrVpVQR26/aAK3syaswNGkuNfepTIp9wHQ== X-Google-Smtp-Source: AGHT+IG+cQuImxDZeQ5M4cp9dy7fT1Y0aWlqNZ9qZ6qX4OUscIcE8FRlwLeiTJu3nnBe7b8DnLOV X-Received: by 2002:a50:a6d7:0:b0:572:6aaf:e0d3 with SMTP id 4fb4d7f45d1cf-5734d5973famr3786465a12.7.1715429781529; Sat, 11 May 2024 05:16:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1715429781; cv=none; d=google.com; s=arc-20160816; b=fM2ODP9bTOzao+N1IoOK294j2UiG/a+ba1KgomS5FvzDLlxujfGN5PbBZGWt5k+qHO jNlEr8RNnnfosS6/VsK9UE44e0ojDEcXp50plpDH/gM23Vj2uHf56L+qDTyMWYwMD3/E oBP5eDJxc9DXne5VLs0VHM8V6CTPNQeAxWiKXzsSTm+A2W46wgcYNHTn58HhzNRnOIzq BMOdVBYEplaHvVEBqERs0yO7Gnp273CqRaR7ZXmE3VVGuj0OVpJK+cHb1t3PcGtBtazZ GroYs+XuHamD8DyfY0ZPoMZWSmGOso4SfeVWBoMAZZqKnWAxbHrNuuqfiSxKyBDT/0/c 4Psg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:in-reply-to:content-disposition:mime-version:references :message-id:to:from:date:dkim-signature:delivered-to:reply-to :list-id:list-subscribe:list-unsubscribe:list-help:list-post :precedence:mailing-list; bh=QStxTdJzuoMcSrtZXHp29SmBdWS8oFUKnP6BvkM1wlE=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=Oi+gZWKD0ECExpIpZXVIkB1bcknBo6EW1TKOIXyhh1mQEG1isawRcF/KWx92svu9be dSrU5moHE0QGQoUeB4q7ycfa4DiX6sbLIYEOncincGZ1ZlGBEofDOk18ejyCkIuh0h6A tsENuzhxOvoczIA9dQHSPJB+txa/VCMbOHmiysjBzuY1Q3r7nab9NP/PJOcSei45ZXM0 BX0ZCSwhtZZapBTKuRAGMpeOoqrlVlhkSCKgQGL6UNTczB7J3dds4t0GLqXqOYOVQCxm IgsiRZ05PkVNxr20EKukfIh2at+iYKEE//k/+KV1NVZJYpl3N24cP1h989BscDWWqvY3 jYLQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@debian.org header.s=smtpauto.stravinsky header.b=QATzeivQ; spf=pass (google.com: domain of oss-security-return-30145-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30145-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id 4fb4d7f45d1cf-5733beacf74si2938324a12.101.2024.05.11.05.16.21 for ; Sat, 11 May 2024 05:16:21 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30145-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=fail header.i=@debian.org header.s=smtpauto.stravinsky header.b=QATzeivQ; spf=pass (google.com: domain of oss-security-return-30145-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30145-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 5269 invoked by uid 550); 11 May 2024 12:16:05 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Received: (qmail 5236 invoked from network); 11 May 2024 12:16:04 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:To:From:Date:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description; bh=QStxTdJzuoMcSrtZXHp29SmBdWS8oFUKnP6BvkM1wlE=; b=QATzeivQnX3O04I6HnCQaayW7Q qZgnCF/MgErmshWQNFg+aOln6ZvaNYDF3NW6Tp5c8OD3quUU16Y8YoRHMrZbOoKmkxbwEv7sc525y 4B1Ea/ysDH54NVOI1k1FFwryNZUFjouyrXhb7BqNOWYxH2Wz86Jukex9Uh46AgDeNaZy2cIOzT2Qe rMSsWgLAdUjZlz8VaS0llbFT74AIkyyjLoAvZ65Hwo5HP+HiWUjc4xa8AgVlrRqo4O5CVaa2vXaSX pLl5Kk9huR+ZgSv68McvIWtFHnsNlZCx1WieY4IxPrkRYRTViCGTMGh5tduzn+lapi3qf8j21U+6F qsFObvQg==; Date: Sat, 11 May 2024 13:15:53 +0100 From: Simon McVittie To: oss-security@lists.openwall.com Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Debian-User: smcv Subject: [oss-security] Re: lsof "can't stat() fuse.${name} filesystem /run/user/1000/${dir}" On Fri, 10 May 2024 at 13:19:35 +0000, Corey Lopez wrote: > Also, I ran the lsof command, which helped me discover > the type of file systems that were being used. This prompted me to use apt purge > to remove Gnome Virtual File System from my laptop. > > # lsof /dev/loop* > > I received this in response: > > can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs > can't stat() fuse.portal file system /run/user/1000/doc This is not evidence of a compromise, and is also nothing to do with /dev/loop* specifically. You would see the same thing on a system that is operating correctly, or when issuing other lsof commands as root that do not involve /dev/loop*. These are FUSE filesystems running as uid 1000, which by default are not accessible *by root* - which might seem strange at first glance, but is an intentional security mechanism to protect root from being attacked by uid 1000 (see mount.fuse3(8) for details). fuse.gvfsd-fuse is gvfs (not to be confused with gnomevfs, which is a much older implementation of the same general concept) making various remote and virtual filesystems such as SMB and WebDAV available to non-GLib-based applications as a FUSE filesystem. fuse.portal is xdg-documents-portal, part of xdg-desktop-portal, and is used to share a subset of documents between the host system and sandboxed apps such as Flatpak and Snap under user control, without needing to extend a higher level of trust to those apps by sharing entire directories. smcv