From owner-freebsd-questions@freebsd.org  Mon Mar 13 10:47:13 2017
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6D90AD09ECD
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Mon, 13 Mar 2017 10:47:13 +0000 (UTC)
 (envelope-from cyberleo@cyberleo.net)
Received: from mail.cyberleo.net (paka.cyberleo.net [216.226.128.180])
 by mx1.freebsd.org (Postfix) with ESMTP id 52B901AAB
 for <freebsd-questions@freebsd.org>; Mon, 13 Mar 2017 10:47:12 +0000 (UTC)
 (envelope-from cyberleo@cyberleo.net)
Received: from [172.16.44.4] (vitani.den.cyberleo.net [216.80.73.130])
 by mail.cyberleo.net (Postfix) with ESMTPSA id 227D04F744;
 Mon, 13 Mar 2017 06:37:46 -0400 (EDT)
Subject: Re: Jail limited user cannot access host mountpoint although jail
 root can
To: DaLynX <d@l.ynx.fr>, freebsd-questions <freebsd-questions@freebsd.org>
References: <E-Pk5T6KVYVcLFjKCsIMYXQMACoEuRThVEEdqMPZSx21aa@mailpile>
From: CyberLeo Kitsana <cyberleo@cyberleo.net>
Message-ID: <90c205ea-fbaf-14de-4c83-81421838510b@cyberleo.net>
Date: Mon, 13 Mar 2017 05:37:45 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <E-Pk5T6KVYVcLFjKCsIMYXQMACoEuRThVEEdqMPZSx21aa@mailpile>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 10:47:13 -0000

On 03/10/2017 08:59 PM, DaLynX via freebsd-questions wrote:
> Hello,
> 
> I am trying to make my setup work with jails and got stuck in the
> following situation:
> 
> - Host is mounting a fuse filesystem (because I couldn't make it work directly inside the jail - although the /dev/fuse device was accessible) in the jail's chroot.
> - From root@host, everything looks fine.
> - root@jail, too, can access the mounted filesystem, read files, no problem.
> - limited@jail can see the mountpoints but cannot access them in any way (no cd, no ls...) although the file permissions look okay (it's all 755, and for some reason limited is the owner of all mountpoints).
> 
> What could have gone wrong? I tried playing around with
> vfs.usermount on the host or enforce_statfs on the jail but it
> makes no difference.
> 
> Any pointers would be greatly appreciated.

Fuse filesystems include an additional security measure by default
whereby only the uid of the mounter is permitted to access the
mountpoint; even root is forbidden from accessing non-root fuse mounts.

Read up on the allow_other fuse mount option for further details.

-- 
Fuzzy love,
-CyberLeo

<CyberLeo@CyberLeo.Net>
Technical Administrator

CyberLeo.Net Webhosting
http://www.CyberLeo.Net

Element9 Communications
http://www.Element9.net


Furry Peace! - http://www.fur.com/peace/