From nobody Wed Jun 23 14:34:22 2021 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 95A1011E5B25 for ; Wed, 23 Jun 2021 14:34:56 +0000 (UTC) (envelope-from david@schlachter.ca) Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4G95Q7546kz4mRv for ; Wed, 23 Jun 2021 14:34:55 +0000 (UTC) (envelope-from david@schlachter.ca) Received: by mail-qt1-x834.google.com with SMTP id e3so2256739qte.0 for ; Wed, 23 Jun 2021 07:34:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=schlachter-ca.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=G4MvUIBZSaRQJRLLDMp7PcgCeLQBKjx5ZR/css4rXt8=; b=Az/v6RkxZ5n7asQmMs+yQ+AHRKQxZ12IOoi9Fkd++4iFAL58uMXmXn7KAL3I2x7u5L 1As1QUwiRxTz30Yg6V81ZG1T3JbWdPIIcCzgrNXN6aQFviuTkOnKVftIL0pXXEgf/uRT +F0KUdJBe16NW2XKlaHDO97K77/PIACdjgDvZOtPuLnVa/a1d8c8ixP1Mg7GN8YIoP8N 8dN5DNf1PLya/84VUKYKZ9OMQgI2Mj+eU2/1NwE1tEWyiMhBqKsHt808SfzCsk7VStk8 472cdo+TxKC7bwdKWmTIymUBGo7XCZm590YLMUrBTEPj+IKt9iZGiILQByr6cBsj7PJw 6VBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=G4MvUIBZSaRQJRLLDMp7PcgCeLQBKjx5ZR/css4rXt8=; b=oAJ4C0TyvixAkljfpAyzVZFCBgtzf7e1mUIacV1vlyTPg+bG9ZXV0wPpHsu55VGpLz Ty8pG77d0bvSaX2jsuRj6a1HZ6NC2t82Yyg0hzxuZ9d2hn5iiu9hCaAileyCTOwdniOF /52aUSNp7iJwoY6nwYLzvFZP8AAeWQQSi7oun5Ugt+gW0zglp/y2YetF13kT7/EsGlyr 2/D6q4wfgYJFe5fLX8KQpYOkN49xJvSMinlEpqOxn1Lhu2LjaAZLJsZSgdQ4kLylOaKs Z9v2SETrr5Jundt7VUa44uP+vMMnqM73kuo6LJ7evzPkP0DfuyfdZAq6DqA+xaCwDCVr Kp8g== X-Gm-Message-State: AOAM530MtN4vOMYWsSqgi7nAvg2c8OFh7R25pG3Ntoesdi2py4r5ZCnT ckMN9BMlGoPRgEE/qrPWt/XLazcyPLJorAOqDUvf56xPhX+Ma+tL X-Google-Smtp-Source: ABdhPJw2hUohU9C9cIWeeyDVOdjH9bxliDdbXCvhyDT+VE9LXcTyAm8ruxxXAAK5t9F+D8YxF6clAn10TBkiV4wTNos= X-Received: by 2002:ac8:5cd6:: with SMTP id s22mr203231qta.15.1624458894290; Wed, 23 Jun 2021 07:34:54 -0700 (PDT) List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 References: <5277b3d5-dd8a-bb45-5dbd-aa9c66d9ce72@rlwinm.de> In-Reply-To: From: David Schlachter Date: Wed, 23 Jun 2021 10:34:22 -0400 Message-ID: Subject: Re: Only root can access a fusefs mount in a jail? To: freebsd-jail@freebsd.org Content-Type: multipart/alternative; boundary="00000000000058cc7105c56fcf5e" X-Rspamd-Queue-Id: 4G95Q7546kz4mRv X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=schlachter-ca.20150623.gappssmtp.com header.s=20150623 header.b=Az/v6Rkx; dmarc=none; spf=pass (mx1.freebsd.org: domain of david@schlachter.ca designates 2607:f8b0:4864:20::834 as permitted sender) smtp.mailfrom=david@schlachter.ca X-Spamd-Result: default: False [-2.50 / 15.00]; RCVD_TLS_ALL(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::834:from]; R_DKIM_ALLOW(-0.20)[schlachter-ca.20150623.gappssmtp.com:s=20150623]; FREEFALL_USER(0.00)[david]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::834:from:127.0.2.255]; ARC_NA(0.00)[]; DKIM_TRACE(0.00)[schlachter-ca.20150623.gappssmtp.com:+]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::834:from]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; DMARC_NA(0.00)[schlachter.ca]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-jail] X-ThisMailContainsUnwantedMimeParts: Y --00000000000058cc7105c56fcf5e Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Found the solution =E2=80=94 it wasn't a jail-specific issue. Fusefs mounts= are restricted to the user who mounted them, unless the 'allow_other' flag is set on the mount. So, for another user to access root's fusefs mount, it can be mounted as follows: # sshfs -o uid=3D1001,gid=3D1001,allow_other user@server.tld: /mnt David Le ven. 18 juin 2021, =C3=A0 09 h 00, David Schlachter a =C3=A9crit : > Thanks for your reply! In my jail, root is able to mount a fuse device. I= f > the permissions on the mounted device (and its contents) are 0777, I expe= ct > that all other users in the jail should be able to view the contents of t= he > mount (e.g. cd in to the mount, ls the files, etc). However, even though > the device is mounted and the permissions should allow all other users to > access the mount, only root can actually access it. I want root to be abl= e > to mount the device, and all other users to access it. > --00000000000058cc7105c56fcf5e--