bindfs and namespaces #10

Open
myitcv opened this Issue Mar 18, 2014 · 4 comments

Comments

Projects
None yet
4 participants
@myitcv

myitcv commented Mar 18, 2014

Hi - I'm wondering how the following can be achieved using bindfs.

An important note to what follows, I have unshare setuid:

$ ls -la /usr/bin/unshare
-rwsr-xr-x 1 root root 10432 Jun 12  2013 /usr/bin/unshare

All of the commands that follow are run as an unprivileged user.

In terminal 1:

$ unshare -m  /bin/bash
$ sudo mount -n --bind /home/myitcv/a /home/myitcv/xyz
$ ls /home/myitcv/xyz
aaaa.txt

In another terminal, terminal 2:

$ unshare -m  /bin/bash
$ sudo mount -n --bind /home/myitcv/b /home/myitcv/xyz
$ ls /home/myitcv/xyz
bbbb.txt

If I try something similar with bindfs I get the following.

Terminal 1's commands succeed:

$ unshare -m  /bin/bash
$ bindfs -ono-allow-other /home/myitcv/a /home/myitcv/xyz
$ ls /home/myitcv/xyz
aaaa.txt

But then in terminal 2:

$ unshare -m  /bin/bash
$ bindfs -ono-allow-other /home/myitcv/b /home/myitcv/xyz
fusermount: failed to access mountpoint /home/myitcv/gostuff: Permission denied

I think this may be related to the fact that the mount that succeeded in terminal 1 is visible to both, despite the call to unshare:

$ cat /proc/$$/mounts | grep bindfs
bindfs /home/myitcv/xyz fuse.bindfs rw,nosuid,nodev,relatime,user_id=1000,group_id=1000,default_permissions 0 0

Am I doing something wrong here?

Is there an option equivalent to the -n on mount -n whereby the mount is created without writing to /etc/mtab?

Thanks

@mpartel

This comment has been minimized.

Show comment
Hide comment
@mpartel

mpartel Mar 18, 2014

Owner

Strange, when I try it on Ubuntu 13.10, I get a "Transport endpoint is not connected" instead of "Permission denied". I don't know much about namespaces but I wouldn't be terribly surprised if FUSE didn't support them properly yet. Sorry I can't be of more help :(

Based on a quick grep for mtab in FUSE's source, there seems to be no mount -n equivalent since FUSE seems to be doing mtab manipulation in a custom fashion. One way to disable it seems to be to recompile FUSE with ./configure --disable-mtab.

Owner

mpartel commented Mar 18, 2014

Strange, when I try it on Ubuntu 13.10, I get a "Transport endpoint is not connected" instead of "Permission denied". I don't know much about namespaces but I wouldn't be terribly surprised if FUSE didn't support them properly yet. Sorry I can't be of more help :(

Based on a quick grep for mtab in FUSE's source, there seems to be no mount -n equivalent since FUSE seems to be doing mtab manipulation in a custom fashion. One way to disable it seems to be to recompile FUSE with ./configure --disable-mtab.

@myitcv

This comment has been minimized.

Show comment
Hide comment
@myitcv

myitcv Mar 18, 2014

Appreciate the quick response. I'll check back if I find anything of note.

myitcv commented Mar 18, 2014

Appreciate the quick response. I'll check back if I find anything of note.

@sourcejedi

This comment has been minimized.

Show comment
Hide comment
@sourcejedi

sourcejedi Apr 22, 2016

mount -n should not be necessary on newer systems. E.g. Debian 8. (Possibly encouraged by a systemd warning).

$ ls -l /etc/mtab
lrwxrwxrwx 1 root root 12 Oct  4  2014 /etc/mtab -> /proc/mounts

mount -n should not be necessary on newer systems. E.g. Debian 8. (Possibly encouraged by a systemd warning).

$ ls -l /etc/mtab
lrwxrwxrwx 1 root root 12 Oct  4  2014 /etc/mtab -> /proc/mounts
@paulstelian97

This comment has been minimized.

Show comment
Hide comment
@paulstelian97

paulstelian97 Jun 5, 2016

FUSE uses /dev/fuse as the channel between kernel and user for the mounts.

FUSE uses /dev/fuse as the channel between kernel and user for the mounts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment