Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bindfs and namespaces #10

Open
myitcv opened this issue Mar 18, 2014 · 4 comments
Open

bindfs and namespaces #10

myitcv opened this issue Mar 18, 2014 · 4 comments

Comments

@myitcv
Copy link

myitcv commented Mar 18, 2014

Hi - I'm wondering how the following can be achieved using bindfs.

An important note to what follows, I have unshare setuid:

$ ls -la /usr/bin/unshare
-rwsr-xr-x 1 root root 10432 Jun 12  2013 /usr/bin/unshare

All of the commands that follow are run as an unprivileged user.

In terminal 1:

$ unshare -m  /bin/bash
$ sudo mount -n --bind /home/myitcv/a /home/myitcv/xyz
$ ls /home/myitcv/xyz
aaaa.txt

In another terminal, terminal 2:

$ unshare -m  /bin/bash
$ sudo mount -n --bind /home/myitcv/b /home/myitcv/xyz
$ ls /home/myitcv/xyz
bbbb.txt

If I try something similar with bindfs I get the following.

Terminal 1's commands succeed:

$ unshare -m  /bin/bash
$ bindfs -ono-allow-other /home/myitcv/a /home/myitcv/xyz
$ ls /home/myitcv/xyz
aaaa.txt

But then in terminal 2:

$ unshare -m  /bin/bash
$ bindfs -ono-allow-other /home/myitcv/b /home/myitcv/xyz
fusermount: failed to access mountpoint /home/myitcv/gostuff: Permission denied

I think this may be related to the fact that the mount that succeeded in terminal 1 is visible to both, despite the call to unshare:

$ cat /proc/$$/mounts | grep bindfs
bindfs /home/myitcv/xyz fuse.bindfs rw,nosuid,nodev,relatime,user_id=1000,group_id=1000,default_permissions 0 0

Am I doing something wrong here?

Is there an option equivalent to the -n on mount -n whereby the mount is created without writing to /etc/mtab?

Thanks
@mpartel
Copy link
Owner

mpartel commented Mar 18, 2014

Strange, when I try it on Ubuntu 13.10, I get a "Transport endpoint is not connected" instead of "Permission denied". I don't know much about namespaces but I wouldn't be terribly surprised if FUSE didn't support them properly yet. Sorry I can't be of more help :(

Based on a quick grep for mtab in FUSE's source, there seems to be no mount -n equivalent since FUSE seems to be doing mtab manipulation in a custom fashion. One way to disable it seems to be to recompile FUSE with ./configure --disable-mtab.

@myitcv
Copy link
Author

myitcv commented Mar 18, 2014

Appreciate the quick response. I'll check back if I find anything of note.

@sourcejedi
Copy link

mount -n should not be necessary on newer systems. E.g. Debian 8. (Possibly encouraged by a systemd warning).

$ ls -l /etc/mtab
lrwxrwxrwx 1 root root 12 Oct  4  2014 /etc/mtab -> /proc/mounts

@paulstelian97
Copy link

FUSE uses /dev/fuse as the channel between kernel and user for the mounts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sourcejedi @mpartel @myitcv @paulstelian97