afuse icon indicating copy to clipboard operation
afuse copied to clipboard
verified publisher icon pcarrier

afuse permission issue whith nfs

Open oarcher opened this issue 12 years ago • 9 comments

Hi, du to an autofs bug in linux container, i'm trying to set up a workaround using afuse/nfs, but i ran into 'permission denied' issue.

I'm running as root the following command:

afuse -d -o allow_other -o default_permissions -o mount_template="mount -orw %r:/export/home %m" -o unmount_template="fusermount -u -z %m" /home

so as root, i can browse the filestem by issuing a 'ls /home/mynfshost'

but as an normal user, i cant browse the filesystem, ans 'ls -ld /home' show that i have no access to it:

ls -ld /home

drwx------ 1 root root 0 Jan 1 1970 /home

the mount command show me tha the 'real' mountpoint is /tmp/afuse-c5CWTm, and files permissions ar the same:

ls -ld /tmp/afuse-c5CWTm

drwx------ 1 root root 12 Apr 26 11:51 /tmp/afuse-c5CWTm

if i change manually permissions on the real mountpoint, a non-root user who is allowed to write on the nfs share can create a file on the real mountpoint: $touch /tmp/afuse-c5CWTm/mynfsshare/mydir/test

but i can't change permission on /home ( Operation not supported ), and normal user doesn't have acces to mountpoint.

Is there a solution to use afuse to mount nfs share in a system-wide way like autofs ?

Thanks for any help youy could provide.

Olivier

oarcher avatar Apr 26 '13 12:04 oarcher

Hello,

Could you mention which distribution, kernel, version of afuse you are using, how the container is created, in particular by which user and whether it has a non-standard user namespace? Could I also see /etc/fuse.conf?

pcarrier avatar Apr 26 '13 12:04 pcarrier

Hello, I'm using Ubuntu 12.04.1 LTS with kernel 3.2.0-32-generic x86_64, and afuse 0.2-3. I've set up my lxc container with https://help.ubuntu.com/community/LXC, but this is probably not relevant, as the error is still present outside the container.

my /etc/fuse.conf is empty

Olivier

oarcher avatar Apr 26 '13 14:04 oarcher

Could you try with user_allow_other in /etc/fuse.conf, and v0.4.1 from https://github.com/pcarrier/afuse/archive/v0.4.1.tar.gz?

pcarrier avatar Apr 26 '13 15:04 pcarrier

I've try with 0.4.1 and user_allow_other in /etc/fuse.conf, and I've got the same unexpected behaviour.

oarcher avatar Apr 26 '13 21:04 oarcher

OK, can I get your /proc/mounts to see the NFS options, and ps aux|grep rpc to see which NFS daemons are running on the client side?

pcarrier avatar Apr 26 '13 21:04 pcarrier

Here is my /proc/mounts: note that my mountpoint is now /mntfuse instead of /home in my previous post:

cat /proc/mounts

rootfs / rootfs rw 0 0 sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0 proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 udev /dev devtmpfs rw,relatime,size=12329960k,nr_inodes=3082490,mode=755 0 0 devpts /dev/pts devpts rw,nosuid,noexec,relatime,mode=600,ptmxmode=000 0 0 tmpfs /run tmpfs rw,nosuid,relatime,size=4935520k,mode=755 0 0 /dev/disk/by-uuid/157e6407-aba0-466b-b8c2-8959e136336a / ext4 rw,relatime,errors=remount-ro,user_xattr,barrier=1,data=ordered 0 0 none /sys/fs/fuse/connections fusectl rw,relatime 0 0 none /sys/kernel/debug debugfs rw,relatime 0 0 none /sys/kernel/security securityfs rw,relatime 0 0 none /run/lock tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k 0 0 none /run/shm tmpfs rw,nosuid,nodev,relatime 0 0 /dev/sda3 /var btrfs rw,relatime,nospace_cache 0 0 rpc_pipefs /run/rpc_pipefs rpc_pipefs rw,relatime 0 0 cgroup /sys/fs/cgroup tmpfs rw,relatime,mode=755 0 0 cgroup /sys/fs/cgroup/cpuset cgroup rw,relatime,cpuset,clone_children 0 0 cgroup /sys/fs/cgroup/cpu cgroup rw,relatime,cpu,clone_children 0 0 cgroup /sys/fs/cgroup/cpuacct cgroup rw,relatime,cpuacct,clone_children 0 0 cgroup /sys/fs/cgroup/memory cgroup rw,relatime,memory,clone_children 0 0 cgroup /sys/fs/cgroup/devices cgroup rw,relatime,devices,clone_children 0 0 cgroup /sys/fs/cgroup/freezer cgroup rw,relatime,freezer,clone_children 0 0 cgroup /sys/fs/cgroup/blkio cgroup rw,relatime,blkio,clone_children 0 0 cgroup /sys/fs/cgroup/perf_event cgroup rw,relatime,perf_event,clone_children 0 0 afuse /mntfuse fuse.afuse rw,nosuid,nodev,relatime,user_id=0,group_id=0,default_permissions,allow_other 0 0 typhon:/export/home/ /tmp/afuse-WW6IJF/typhon nfs rw,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=134.246.158.12,mountvers=3,mountport=32825,mountproto=udp,local_lock=none,addr=134.246.158.12 0 0

ps aux|grep rpc

root 381 0.0 0.0 9356 636 pts/12 S+ 00:25 0:00 grep --color=auto rpc root 672 0.0 0.0 19212 1060 ? Ss 2012 0:09 rpcbind -w root 753 0.0 0.0 0 0 ? S< 2012 0:00 [rpciod] root 777 0.0 0.0 25856 1452 ? Ss 2012 0:00 rpc.idmapd statd 778 0.0 0.0 25744 1540 ? Ss 2012 0:00 rpc.statd -L root 29135 0.0 0.0 19200 1080 ? Ss Apr26 0:00 rpcbind -w sshd 29193 0.0 0.0 21504 1364 ? Ss Apr26 0:00 rpc.statd -L

oarcher avatar Apr 26 '13 22:04 oarcher

OK, sorry for being so slow, I finally understood your problem. Thanks for your report!

I'll need to add an option to tweak the apex permissions and do a new release. Hopefully I'll have time this week end.

src/afuse.c:361:        if (mkdir(dir_tmp, 0700) == -1 && errno != EEXIST) {

Edit: ideally:

  • by default, pass 0755 if fuse honors allow_other, 0700 otherwise
  • have an option to override that

pcarrier avatar Apr 26 '13 22:04 pcarrier

Many thanks, you are not "so slow" ;-)

do you mean that changing 0700 to 0755 should fix the permissions issue ? I've just try it, by with no success ...

oarcher avatar Apr 26 '13 22:04 oarcher

I've also noticed that not using default_permissions let me enter the fuse mountpoint, but i cant create new file. And what about: if (!(mount_point_directory = mkdtemp(temp_dir_name))) ? mkdtemp create directory 0700 by default ....

oarcher avatar Apr 27 '13 10:04 oarcher