OSXfuse's SSHFS ignores remote group permissions ? #1

Closed
brainstorm opened this Issue Sep 26, 2011 · 6 comments

Comments

Projects
None yet
3 participants

I'm mounting it together with macfusion. Unless I own the remote files via the remote user, I cannot access the files via standard remote UNIX permissions. For example, I have access to this directory on the remote server via osxfuse:

$ ls -alh
drwxrws--- 11 roman group11 4.0K Sep 25 12:00 test_dir_server1

$id roman
uid=42314 gid=(...),40205(group11)

But not this one, which I don't own by user, only by group. I'm able to access the files when logged in via regular interactive ssh though:

$ ls -alh
drwxrws---. 10 not.roman group12 4,0K 24 sep 20.59 test_dir_server2

$id roman
uid=14215 gid=(...),10023(group12)

Is there any flag I can use to correct this ? I've also observed that sshfs is not on my path when I try to invoque it locally after installing OSXFUSE with macfuse backwards compatibility option checked.

Thanks for the fork guys, good work !

Owner

bfleischer commented Jan 22, 2012

Macfusion comes with its own custom SSHFS binary, that seems to ignore the user's gid. It resides in Macfusion's application bundle. That's why sshfs is not in your path.

It took some time, but earlier today I uploaded an official OSXFUSE SSHFS 2.3.0 package containing a universal sshfs binary for Mac OS X 10.5 and newer. SSHFS has been moved to its own repository. The installer package can be found in the repository's Downloads section. Due to the fact that this version maps uid and gid you should be able to access both directories test_dir_server1 and test_dir_server2.

To make Macfusion use OSXFUSE's SSHFS run the following commands in Terminal (assuming Macfusion is in your Applications folder):

cd  /Applications/Macfusion.app/Contents/PlugIns/sshfs.mfplugin/Contents/Resources
mv sshfs-static sshfs-static.orig
ln -s /usr/local/bin/sshfs sshfs-static

To revert the changes run:

cd  /Applications/Macfusion.app/Contents/PlugIns/sshfs.mfplugin/Contents/Resources
mv sshfs-static.orig sshfs-static

Please re-open the issue, if this does not work for you.

bfleischer closed this Jan 22, 2012

Hello @bfleischer, thanks for your feedback !

Unfortunately, after installing the pkg and running the commands, it still does not work, permissions are wrong :-/

ls -alh /Volumes/remote_mount/folder/
ls: : Permission denied

On the other hand, doing a regular ssh machine ls -alh folder/ works without problems.

Here's some information on the sshfs I'm using from today:

:Resources roman$ sshfs -V
SSHFS version 2.3 (OSXFUSE SSHFS 2.3.0)
OSXFUSE library version: FUSE 2.7.3 / OSXFUSE 2.3.4
no mount point

:Resources roman$ which sshfs
/usr/local/bin/sshfs

:Resources roman$ ls -lah /usr/local/bin/sshfs
-rwxr-xr-x  1 root  wheel   5,5M 22 Jan 12:39 /usr/local/bin/sshfs
Owner

bfleischer commented Jan 23, 2012

I took a closer look at your first post and am now able to reproduce the issue. There is an important difference between regular SSH and SSHFS:

  • In case of SSH the remote host is responsible for watching over ownership and permissions of files and folders and decides wether to give or deny access to a user.
  • In case of SSHFS there are two permission checks: one performed by Mac OS X and one performed on the remote host. Here lies the problem. The remote host will let you access the directory but your Mac does not know anything about the groups your remote user belongs to. It only knows about your local groups. From your Mac's standpoint you are not allowed to access the directory because your Mac user does not belong to group11 or group12.

SSHFS tries to be smart and matches your remote user's uid/gid with your local user's uid/gid. This suffices in most cases but in your case your remote user just belongs to group11 and group12 but has a different gid. That's why SSHFS cannot associate group11 or group12 with your local gid and you are getting the permission denied error.

Here is how to fix this: You need to call sshfs with the option defer_permissions. defer_permissionsdisables local permission checks and forwards all requests to the remote server (as in the SSH case above). Since the server knows that you are allowed to access the folders you will no longer be locked out.

If you call sshfs from command line just add -o defer_permissions. If you use Macfusion put -o defer_permissions in "SSH Advanced > Extra Options".

Owner

bfleischer commented Jan 23, 2012

BTW: You are still using OSXFUSE 2.3.4. Version 2.3.8 has been release about a month ago and fixes some race conditions that might lead to deadlocks. You might want to upgrade :-)

Yeah, that did the trick, thanks ! :D

I've to define that -o flag for each mount point... Even if it's a minor issue, I would expect it to be a global setting instead (or as well).

On top of that, would it make sense to have it as default setting for macfusion ? I think it's reasonable to have it as per the principle of least surprise (http://en.wikipedia.org/wiki/Principle_of_least_astonishment).

Thanks for the hints... I'll upgrade as well, thanks for telling !

I encountered the same issue with FTP mount points .. but obviously the is no "ssh option" to set to do the trick .. any idea?

Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment