From nobody Fri Jun 18 13:00:31 2021 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1CAC47CD68F for ; Fri, 18 Jun 2021 13:01:11 +0000 (UTC) (envelope-from david@schlachter.ca) Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4G5zZG0t4Tz4QmL for ; Fri, 18 Jun 2021 13:01:09 +0000 (UTC) (envelope-from david@schlachter.ca) Received: by mail-qk1-x72d.google.com with SMTP id j62so10648838qke.10 for ; Fri, 18 Jun 2021 06:01:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=schlachter-ca.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=b4fniMuwZ1xcyyulsUP4c4q5TfqjhO5dvEc+oTGUA1U=; b=rjKbwJ9TPegXlVOGZP/wHQpNbHRBwtnBD9NIAVfkJRrM9/VMub4RBHW2P2xDADxKDX rA8jLF17Vsn3fexIMDP7U+uhb0c0N3na5l39vTIhTuIiLkDaKTMgzM/jN7xk2KBuoVPB guCSwpZNQdZytQ10rHtved+XWO7ElEK1HWgUKZvkSLIcLVaQwgOAte9ammDrS1wREwHN a/Q2dz0u1/YP3aXRHNDcKtIw1MWDZ/8TI3ytIf0mzpsP+5dHA8DuONSktelhd7ooU3Oj XhUX3iAQ1aF40zn+AF0KJAbc6yTiEhz5S8kS4D55C2bZLIsH8Fd6lXiN+30yvOe4LmWO a9ag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=b4fniMuwZ1xcyyulsUP4c4q5TfqjhO5dvEc+oTGUA1U=; b=ci/1eS/MLv1D3rU8ZGJMYKXnQ6/d59pgVCm+VbhwKIKj6ZRkuWmP4lpXrCh0pL9y1h FsmvSBaYKOHCt6yOXcwrNoh2ZWvZz+Vt+pxf3MkpT3MqlUG6sR6fYUgNMQvrzkvbfNPH qhQ7zkJ5BQ728xNNJcu9A8GIma0t2kCoTCj3O44mGNQFrosL/6f/G/yXXSRmVNJPGwVw jBbB1gCcWk4vUsagSdYqiiMGGLFv1usn8l4KdLlVcOFAWWq9HRC6vaZ3N+2JMjA6JxRl RX9Q1ALuhGj9xI7mGkmuiIDJkW7gipZ23yaACzKaz/sqHS3m3ugvPdumXYQF5iPfN6pa 5zBg== X-Gm-Message-State: AOAM5305Xm74OvXh26gMvHLTmX4HHncowG847Ba7hq03ZM/1/WP5yoyt m/cDht/ZuNz4dyiy8naSlkQcxjou0Ies5cTTD+yVY2es2ecaUS5V X-Google-Smtp-Source: ABdhPJxcybCufv0rU7aZpU8JgwHrJUplFp764lZxMUwBD11vwgZSZ3kZyze/mvnbdgNpKdiMGknv49f9GE/Ja3JVkz8= X-Received: by 2002:a37:a283:: with SMTP id l125mr9340069qke.476.1624021268381; Fri, 18 Jun 2021 06:01:08 -0700 (PDT) List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 References: <5277b3d5-dd8a-bb45-5dbd-aa9c66d9ce72@rlwinm.de> In-Reply-To: <5277b3d5-dd8a-bb45-5dbd-aa9c66d9ce72@rlwinm.de> From: David Schlachter Date: Fri, 18 Jun 2021 09:00:31 -0400 Message-ID: Subject: Re: Only root can access a fusefs mount in a jail? To: freebsd-jail@freebsd.org Content-Type: multipart/alternative; boundary="000000000000cf580805c509ea00" X-Rspamd-Queue-Id: 4G5zZG0t4Tz4QmL X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=schlachter-ca.20150623.gappssmtp.com header.s=20150623 header.b=rjKbwJ9T; dmarc=none; spf=pass (mx1.freebsd.org: domain of david@schlachter.ca designates 2607:f8b0:4864:20::72d as permitted sender) smtp.mailfrom=david@schlachter.ca X-Spamd-Result: default: False [-2.41 / 15.00]; RCVD_TLS_ALL(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::72d:from]; R_DKIM_ALLOW(-0.20)[schlachter-ca.20150623.gappssmtp.com:s=20150623]; FREEFALL_USER(0.00)[david]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::72d:from:127.0.2.255]; ARC_NA(0.00)[]; DKIM_TRACE(0.00)[schlachter-ca.20150623.gappssmtp.com:+]; NEURAL_HAM_SHORT(-0.91)[-0.914]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::72d:from]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; DMARC_NA(0.00)[schlachter.ca]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-jail] X-ThisMailContainsUnwantedMimeParts: Y --000000000000cf580805c509ea00 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Le ven. 18 juin 2021, =C3=A0 07 h 00, Crest a =C3=A9crit = : > To mount a FUSE file system you need write access to the fuse device and > the permission to mount a file system. The first is controlled by > permissions on the fuse device(s) the second is controlled through the > vfs.usermount sysctl. By default only root is allowed to mount file > systems. Thanks for your reply! In my jail, root is able to mount a fuse device. If the permissions on the mounted device (and its contents) are 0777, I expect that all other users in the jail should be able to view the contents of the mount (e.g. cd in to the mount, ls the files, etc). However, even though the device is mounted and the permissions should allow all other users to access the mount, only root can actually access it. I want root to be able to mount the device, and all other users to access it. David --000000000000cf580805c509ea00--