Date: Fri, 18 Jun 2021 12:59:43 +0200 From: Crest <crest@rlwinm.de> To: freebsd-jail@freebsd.org Subject: Re: Only root can access a fusefs mount in a jail? Message-ID: <5277b3d5-dd8a-bb45-5dbd-aa9c66d9ce72@rlwinm.de> In-Reply-To: <CAF104kOX_E3tmBoFgZgqh6AQfnm7UdGwQfHOYWf_r==HfzVQTQ@mail.gmail.com> References: <CAF104kOX_E3tmBoFgZgqh6AQfnm7UdGwQfHOYWf_r==HfzVQTQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 18.06.21 12:14, David Schlachter wrote: > Hi all, > > I posted about this in the iocage issues on Github yesterday [1], but I > wonder if it's an underlying issue with jails and fusefs. Summary: in a > jail, root can mount and use a fusefs filesystem, but non-root itusers are > not able to access it (with appropriate permissions). I'd appreciate any > insight on how I could allow regular users to use such a filesystem > (mounted by root). > > Detailed description to reproduce: > > Create a jail with the options: > - allow_mount: 1 > - allow_mount_fusefs: 1 > - enforce_statfs: 1 > > On the host, ensure the fusefs kernel module is loaded. In the guest, add > an unprivileged user (e.g. UID=1001), then install fusefs-sshfs and use it > to mount a remote server: > > # sshfs -o uid=1001,gid=1001 user@server.tld: /mnt > > Root is able to ls the mount, add & remove files, etc. > > root@fuse-jail:~ # ls -la /mnt > total 4545 > drwxr-x--x 1 user user 84 Jun 17 18:51 . > drwxr-xr-x 20 root wheel 25 May 30 22:14 .. > -rw------- 1 user user 2867 Apr 9 2019 .bash_history > -rw-r--r-- 1 user user 9286 Jun 17 06:00 .bash_profile > lrwxr-xr-x 1 user user 52 Jan 23 2020 .bashrc > drwx------ 1 user user 12 May 18 12:49 .cache > ... > > However, the unprivileged user cannot, despite being the owner of the > directory. > > user@fuse-jail:~ % ls -la / > ... > drwxr-x--x 1 user user 84 Jun 17 18:51 mnt > ... > > user@fuse-jail:~ % ls -la /mnt > total 0 > ls: /mnt: Operation not permitted > > Expected behaviour is that user can access /mnt. > > Thanks in advance for any ideas! > David To mount a FUSE file system you need write access to the fuse device and the permission to mount a file system. The first is controlled by permissions on the fuse device(s) the second is controlled through the vfs.usermount sysctl. By default only root is allowed to mount file systems.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5277b3d5-dd8a-bb45-5dbd-aa9c66d9ce72>