Jail limited user cannot access host mountpoint although jail root can

Ernie Luzar luzar722 at gmail.com
Sat Mar 11 18:34:25 UTC 2017

DaLynX via freebsd-questions wrote:
> Alnis Morics <alnis.moritz at gmail.com> wrote:
>> On 03/11/2017 04:59, DaLynX via freebsd-questions wrote:
>>> Hello,
>>> I am trying to make my setup work with jails and got stuck in the
>>> following situation:
>>> - Host is mounting a fuse filesystem (because I couldn't make it work directly inside the jail - although the /dev/fuse device was accessible) in the jail's chroot.
>>> - From root at host, everything looks fine.
>>> - root at jail, too, can access the mounted filesystem, read files, no problem.
>>> - limited at jail can see the mountpoints but cannot access them in any way (no cd, no ls...) although the file permissions look okay (it's all 755, and for some reason limited is the owner of all mountpoints).
>>> What could have gone wrong? I tried playing around with
>>> vfs.usermount on the host or enforce_statfs on the jail but it
>>> makes no difference.
>>> Any pointers would be greatly appreciated.
>>> Kind regards,
>>> DaLynX
>> Why not use mount_nullfs(8)? Like:
>> mount_nullfs <directory_on_host>
>> /usr/jails/<jailname>/<dir_on_jail>
>> -Alnis
> Dear Alnis,
> Thank you for your answer but I fail to see how nullfs could
> help. Do you mean I should first mount my fusefs'es somewhere on
> my host - say /mnt/ - and then use nullfs to map them to the jail
> dirs? (/iocage/jails/<jail_id>/root/mnt/, in my case)
> Would there be a difference in fusefs / nullfs functionality or
> implementation that would explain different behaviour in the
> jails in the end, and the problem I am facing?
> If you meant using nullfs instead of fuse I am afraid you are
> missing the point. I want to use tools such as sshfs or
> archivemount, that are based on fuse.

It's my understanding that fuse just does not play well with jails. This 
has been known for a long time but just not general public knowledge. 
There have been many reports from people trying to use fuse to mount the 
shared binary running system at jail start time without any success. The 
resulting solution is to use nullfs mounts.

I think what the previous post is saying; is to use nullfs to mount the 
shared binary running system. Then try to activate fuse for the other 
tasks using the poststart.exec variable. That way the jail is up and 
running before any fuse things are started.

If that don't work them you have to accept that those fuse based tools 
are NOT going to be able to run in a jail. They were never designed with 
jails in mind.

More information about the freebsd-questions mailing list