On Fri, 10 May 2024 at 13:19:35 +0000, Corey Lopez wrote:
> Also, I ran the lsof command, which helped me discover
> the type of file systems that were being used. This prompted me to use apt
> purge
> to remove Gnome Virtual File System from my laptop.
>
> # lsof /dev/loop*
>
> I received this in response:
>
> can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
> can't stat() fuse.portal file system /run/user/1000/doc
This is not evidence of a compromise, and is also nothing to do with
/dev/loop* specifically. You would see the same thing on a system that
is operating correctly, or when issuing other lsof commands as root that
do not involve /dev/loop*.
These are FUSE filesystems running as uid 1000, which by default are
not accessible *by root* - which might seem strange at first glance,
but is an intentional security mechanism to protect root from being
attacked by uid 1000 (see mount.fuse3(8) for details).
fuse.gvfsd-fuse is gvfs (not to be confused with gnomevfs, which is a
much older implementation of the same general concept) making various
remote and virtual filesystems such as SMB and WebDAV available to
non-GLib-based applications as a FUSE filesystem.
fuse.portal is xdg-documents-portal, part of xdg-desktop-portal, and
is used to share a subset of documents between the host system and
sandboxed apps such as Flatpak and Snap under user control, without
needing to extend a higher level of trust to those apps by sharing
entire directories.
smcv
