Only root can access a fusefs mount in a jail?

Reply: Crest : "Re: Only root can access a fusefs mount in a jail?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: David Schlachter <david_at_schlachter.ca>
Date: Fri, 18 Jun 2021 10:14:24 UTC

Hi all,

I posted about this in the iocage issues on Github yesterday [1], but I
wonder if it's an underlying issue with jails and fusefs. Summary: in a
jail, root can mount and use a fusefs filesystem, but non-root users are
not able to access it (with appropriate permissions). I'd appreciate any
insight on how I could allow regular users to use such a filesystem
(mounted by root).

Detailed description to reproduce:

Create a jail with the options:
- allow_mount: 1
- allow_mount_fusefs: 1
- enforce_statfs: 1

On the host, ensure the fusefs kernel module is loaded. In the guest, add
an unprivileged user (e.g. UID=1001), then install fusefs-sshfs and use it
to mount a remote server:

# sshfs -o uid=1001,gid=1001 user@server.tld: /mnt

Root is able to ls the mount, add & remove files, etc.

root@fuse-jail:~ # ls -la /mnt
total 4545
drwxr-x--x   1 user  user       84 Jun 17 18:51 .
drwxr-xr-x  20 root  wheel      25 May 30 22:14 ..
-rw-------   1 user  user     2867 Apr  9  2019 .bash_history
-rw-r--r--   1 user  user     9286 Jun 17 06:00 .bash_profile
lrwxr-xr-x   1 user  user       52 Jan 23  2020 .bashrc
drwx------   1 user  user       12 May 18 12:49 .cache
...

However, the unprivileged user cannot, despite being the owner of the
directory.

user@fuse-jail:~ % ls -la /
...
drwxr-x--x   1 user  user    84 Jun 17 18:51 mnt
...

user@fuse-jail:~ % ls -la /mnt
total 0
ls: /mnt: Operation not permitted

Expected behaviour is that user can access /mnt.

Thanks in advance for any ideas!
David

[1] https://github.com/iocage/iocage/issues/1261