search

mpartel / bindfs

Mount a directory elsewhere with changed permissions.
https://bindfs.org/
GNU General Public License v2.0
436 stars 64 forks source link

bindfs and namespaces #10

Open myitcv opened 10 years ago

myitcv commented 10 years ago

Hi - I'm wondering how the following can be achieved using bindfs.

An important note to what follows, I have unshare setuid:

$ ls -la /usr/bin/unshare
-rwsr-xr-x 1 root root 10432 Jun 12  2013 /usr/bin/unshare

All of the commands that follow are run as an unprivileged user.

In terminal 1:

$ unshare -m  /bin/bash
$ sudo mount -n --bind /home/myitcv/a /home/myitcv/xyz
$ ls /home/myitcv/xyz
aaaa.txt

In another terminal, terminal 2:

$ unshare -m  /bin/bash
$ sudo mount -n --bind /home/myitcv/b /home/myitcv/xyz
$ ls /home/myitcv/xyz
bbbb.txt

If I try something similar with bindfs I get the following.

Terminal 1's commands succeed:

$ unshare -m  /bin/bash
$ bindfs -ono-allow-other /home/myitcv/a /home/myitcv/xyz
$ ls /home/myitcv/xyz
aaaa.txt

But then in terminal 2:

$ unshare -m  /bin/bash
$ bindfs -ono-allow-other /home/myitcv/b /home/myitcv/xyz
fusermount: failed to access mountpoint /home/myitcv/gostuff: Permission denied

I think this may be related to the fact that the mount that succeeded in terminal 1 is visible to both, despite the call to unshare:

$ cat /proc/$$/mounts | grep bindfs
bindfs /home/myitcv/xyz fuse.bindfs rw,nosuid,nodev,relatime,user_id=1000,group_id=1000,default_permissions 0 0

Am I doing something wrong here?

Is there an option equivalent to the -n on mount -n whereby the mount is created without writing to /etc/mtab?

Thanks

mpartel commented 10 years ago

Strange, when I try it on Ubuntu 13.10, I get a "Transport endpoint is not connected" instead of "Permission denied". I don't know much about namespaces but I wouldn't be terribly surprised if FUSE didn't support them properly yet. Sorry I can't be of more help :(

Based on a quick grep for mtab in FUSE's source, there seems to be no mount -n equivalent since FUSE seems to be doing mtab manipulation in a custom fashion. One way to disable it seems to be to recompile FUSE with ./configure --disable-mtab.

myitcv commented 10 years ago

Appreciate the quick response. I'll check back if I find anything of note.

sourcejedi commented 8 years ago

mount -n should not be necessary on newer systems. E.g. Debian 8. (Possibly encouraged by a systemd warning).

$ ls -l /etc/mtab
lrwxrwxrwx 1 root root 12 Oct  4  2014 /etc/mtab -> /proc/mounts
paulstelian97 commented 8 years ago

FUSE uses /dev/fuse as the channel between kernel and user for the mounts.