Re: Only root can access a fusefs mount in a jail?
Date: Fri, 18 Jun 2021 10:59:43 UTC
On 18.06.21 12:14, David Schlachter wrote: > Hi all, > > I posted about this in the iocage issues on Github yesterday [1], but I > wonder if it's an underlying issue with jails and fusefs. Summary: in a > jail, root can mount and use a fusefs filesystem, but non-root itusers are > not able to access it (with appropriate permissions). I'd appreciate any > insight on how I could allow regular users to use such a filesystem > (mounted by root). > > Detailed description to reproduce: > > Create a jail with the options: > - allow_mount: 1 > - allow_mount_fusefs: 1 > - enforce_statfs: 1 > > On the host, ensure the fusefs kernel module is loaded. In the guest, add > an unprivileged user (e.g. UID=1001), then install fusefs-sshfs and use it > to mount a remote server: > > # sshfs -o uid=1001,gid=1001 user@server.tld: /mnt > > Root is able to ls the mount, add & remove files, etc. > > root@fuse-jail:~ # ls -la /mnt > total 4545 > drwxr-x--x 1 user user 84 Jun 17 18:51 . > drwxr-xr-x 20 root wheel 25 May 30 22:14 .. > -rw------- 1 user user 2867 Apr 9 2019 .bash_history > -rw-r--r-- 1 user user 9286 Jun 17 06:00 .bash_profile > lrwxr-xr-x 1 user user 52 Jan 23 2020 .bashrc > drwx------ 1 user user 12 May 18 12:49 .cache > ... > > However, the unprivileged user cannot, despite being the owner of the > directory. > > user@fuse-jail:~ % ls -la / > ... > drwxr-x--x 1 user user 84 Jun 17 18:51 mnt > ... > > user@fuse-jail:~ % ls -la /mnt > total 0 > ls: /mnt: Operation not permitted > > Expected behaviour is that user can access /mnt. > > Thanks in advance for any ideas! > David To mount a FUSE file system you need write access to the fuse device and the permission to mount a file system. The first is controlled by permissions on the fuse device(s) the second is controlled through the vfs.usermount sysctl. By default only root is allowed to mount file systems.