From nobody Fri Jun 18 10:59:43 2021
X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 7656D5D5DCE
	for <freebsd-jail@mlmmj.nyi.freebsd.org>; Fri, 18 Jun 2021 10:59:56 +0000 (UTC)
	(envelope-from crest@rlwinm.de)
Received: from mail.rlwinm.de (mail.rlwinm.de [IPv6:2a01:4f8:171:f902::5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4G5wtM59g4z3n8R
	for <freebsd-jail@freebsd.org>; Fri, 18 Jun 2021 10:59:55 +0000 (UTC)
	(envelope-from crest@rlwinm.de)
Received: from alteisen.fritz.box (200116b864c4f40044cd5dd15527afe4.dip.versatel-1u1.de [IPv6:2001:16b8:64c4:f400:44cd:5dd1:5527:afe4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail.rlwinm.de (Postfix) with ESMTPSA id 2BF52DF05
	for <freebsd-jail@freebsd.org>; Fri, 18 Jun 2021 10:59:47 +0000 (UTC)
Subject: Re: Only root can access a fusefs mount in a jail?
To: freebsd-jail@freebsd.org
References: <CAF104kOX_E3tmBoFgZgqh6AQfnm7UdGwQfHOYWf_r==HfzVQTQ@mail.gmail.com>
From: Crest <crest@rlwinm.de>
Message-ID: <5277b3d5-dd8a-bb45-5dbd-aa9c66d9ce72@rlwinm.de>
Date: Fri, 18 Jun 2021 12:59:43 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0)
 Gecko/20100101 Thunderbird/78.11.0
List-Id: Discussion about FreeBSD jail(8) <freebsd-jail.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-jail
List-Help: <mailto:freebsd-jail+help@freebsd.org>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@freebsd.org>
Sender: owner-freebsd-jail@freebsd.org
MIME-Version: 1.0
In-Reply-To: <CAF104kOX_E3tmBoFgZgqh6AQfnm7UdGwQfHOYWf_r==HfzVQTQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-Rspamd-Queue-Id: 4G5wtM59g4z3n8R
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of crest@rlwinm.de designates 2a01:4f8:171:f902::5 as permitted sender) smtp.mailfrom=crest@rlwinm.de
X-Spamd-Result: default: False [-2.30 / 15.00];
	 RCVD_TLS_ALL(0.00)[];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 MID_RHS_MATCH_FROM(0.00)[];
	 FROM_HAS_DN(0.00)[];
	 RBL_DBL_DONT_QUERY_IPS(0.00)[2a01:4f8:171:f902::5:from];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 R_SPF_ALLOW(-0.20)[+mx];
	 MIME_GOOD(-0.10)[text/plain];
	 PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org];
	 TO_DN_NONE(0.00)[];
	 RCPT_COUNT_ONE(0.00)[1];
	 SPAMHAUS_ZRD(0.00)[2a01:4f8:171:f902::5:from:127.0.2.255];
	 RECEIVED_SPAMHAUS_PBL(0.00)[2001:16b8:64c4:f400:44cd:5dd1:5527:afe4:received];
	 ARC_NA(0.00)[];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 NEURAL_HAM_SHORT(-1.00)[-0.999];
	 DMARC_NA(0.00)[rlwinm.de];
	 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	 FROM_EQ_ENVFROM(0.00)[];
	 R_DKIM_NA(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 ASN(0.00)[asn:24940, ipnet:2a01:4f8::/32, country:DE];
	 SUBJECT_ENDS_QUESTION(1.00)[];
	 MAILMAN_DEST(0.00)[freebsd-jail];
	 RCVD_COUNT_TWO(0.00)[2]
X-ThisMailContainsUnwantedMimeParts: N

On 18.06.21 12:14, David Schlachter wrote:
> Hi all,
>
> I posted about this in the iocage issues on Github yesterday [1], but I
> wonder if it's an underlying issue with jails and fusefs. Summary: in a
> jail, root can mount and use a fusefs filesystem, but non-root itusers are
> not able to access it (with appropriate permissions). I'd appreciate any
> insight on how I could allow regular users to use such a filesystem
> (mounted by root).
>
> Detailed description to reproduce:
>
> Create a jail with the options:
> - allow_mount: 1
> - allow_mount_fusefs: 1
> - enforce_statfs: 1
>
> On the host, ensure the fusefs kernel module is loaded. In the guest, add
> an unprivileged user (e.g. UID=1001), then install fusefs-sshfs and use it
> to mount a remote server:
>
> # sshfs -o uid=1001,gid=1001 user@server.tld: /mnt
>
> Root is able to ls the mount, add & remove files, etc.
>
> root@fuse-jail:~ # ls -la /mnt
> total 4545
> drwxr-x--x   1 user  user       84 Jun 17 18:51 .
> drwxr-xr-x  20 root  wheel      25 May 30 22:14 ..
> -rw-------   1 user  user     2867 Apr  9  2019 .bash_history
> -rw-r--r--   1 user  user     9286 Jun 17 06:00 .bash_profile
> lrwxr-xr-x   1 user  user       52 Jan 23  2020 .bashrc
> drwx------   1 user  user       12 May 18 12:49 .cache
> ...
>
> However, the unprivileged user cannot, despite being the owner of the
> directory.
>
> user@fuse-jail:~ % ls -la /
> ...
> drwxr-x--x   1 user  user    84 Jun 17 18:51 mnt
> ...
>
> user@fuse-jail:~ % ls -la /mnt
> total 0
> ls: /mnt: Operation not permitted
>
> Expected behaviour is that user can access /mnt.
>
> Thanks in advance for any ideas!
> David

To mount a FUSE file system you need write access to the fuse device and 
the permission to mount a file system. The first is controlled by 
permissions on the fuse device(s) the second is controlled through the 
vfs.usermount sysctl. By default only root is allowed to mount file systems.