Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 18 Jun 2021 12:59:43 +0200
From:      Crest <crest@rlwinm.de>
To:        freebsd-jail@freebsd.org
Subject:   Re: Only root can access a fusefs mount in a jail?
Message-ID:  <5277b3d5-dd8a-bb45-5dbd-aa9c66d9ce72@rlwinm.de>
In-Reply-To: <CAF104kOX_E3tmBoFgZgqh6AQfnm7UdGwQfHOYWf_r==HfzVQTQ@mail.gmail.com>
References:  <CAF104kOX_E3tmBoFgZgqh6AQfnm7UdGwQfHOYWf_r==HfzVQTQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 18.06.21 12:14, David Schlachter wrote:
> Hi all,
>
> I posted about this in the iocage issues on Github yesterday [1], but I
> wonder if it's an underlying issue with jails and fusefs. Summary: in a
> jail, root can mount and use a fusefs filesystem, but non-root itusers are
> not able to access it (with appropriate permissions). I'd appreciate any
> insight on how I could allow regular users to use such a filesystem
> (mounted by root).
>
> Detailed description to reproduce:
>
> Create a jail with the options:
> - allow_mount: 1
> - allow_mount_fusefs: 1
> - enforce_statfs: 1
>
> On the host, ensure the fusefs kernel module is loaded. In the guest, add
> an unprivileged user (e.g. UID=1001), then install fusefs-sshfs and use it
> to mount a remote server:
>
> # sshfs -o uid=1001,gid=1001 user@server.tld: /mnt
>
> Root is able to ls the mount, add & remove files, etc.
>
> root@fuse-jail:~ # ls -la /mnt
> total 4545
> drwxr-x--x   1 user  user       84 Jun 17 18:51 .
> drwxr-xr-x  20 root  wheel      25 May 30 22:14 ..
> -rw-------   1 user  user     2867 Apr  9  2019 .bash_history
> -rw-r--r--   1 user  user     9286 Jun 17 06:00 .bash_profile
> lrwxr-xr-x   1 user  user       52 Jan 23  2020 .bashrc
> drwx------   1 user  user       12 May 18 12:49 .cache
> ...
>
> However, the unprivileged user cannot, despite being the owner of the
> directory.
>
> user@fuse-jail:~ % ls -la /
> ...
> drwxr-x--x   1 user  user    84 Jun 17 18:51 mnt
> ...
>
> user@fuse-jail:~ % ls -la /mnt
> total 0
> ls: /mnt: Operation not permitted
>
> Expected behaviour is that user can access /mnt.
>
> Thanks in advance for any ideas!
> David

To mount a FUSE file system you need write access to the fuse device and 
the permission to mount a file system. The first is controlled by 
permissions on the fuse device(s) the second is controlled through the 
vfs.usermount sysctl. By default only root is allowed to mount file systems.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5277b3d5-dd8a-bb45-5dbd-aa9c66d9ce72>