bindfs icon indicating copy to clipboard operation
bindfs copied to clipboard
verified publisher icon mpartel

bindfs and namespaces

Open myitcv opened this issue 11 years ago • 4 comments

Hi - I'm wondering how the following can be achieved using bindfs.

An important note to what follows, I have unshare setuid:

$ ls -la /usr/bin/unshare
-rwsr-xr-x 1 root root 10432 Jun 12  2013 /usr/bin/unshare

All of the commands that follow are run as an unprivileged user.

In terminal 1:

$ unshare -m  /bin/bash
$ sudo mount -n --bind /home/myitcv/a /home/myitcv/xyz
$ ls /home/myitcv/xyz
aaaa.txt

In another terminal, terminal 2:

$ unshare -m  /bin/bash
$ sudo mount -n --bind /home/myitcv/b /home/myitcv/xyz
$ ls /home/myitcv/xyz
bbbb.txt

If I try something similar with bindfs I get the following.

Terminal 1's commands succeed:

$ unshare -m  /bin/bash
$ bindfs -ono-allow-other /home/myitcv/a /home/myitcv/xyz
$ ls /home/myitcv/xyz
aaaa.txt

But then in terminal 2:

$ unshare -m  /bin/bash
$ bindfs -ono-allow-other /home/myitcv/b /home/myitcv/xyz
fusermount: failed to access mountpoint /home/myitcv/gostuff: Permission denied

I think this may be related to the fact that the mount that succeeded in terminal 1 is visible to both, despite the call to unshare:

$ cat /proc/$$/mounts | grep bindfs
bindfs /home/myitcv/xyz fuse.bindfs rw,nosuid,nodev,relatime,user_id=1000,group_id=1000,default_permissions 0 0

Am I doing something wrong here?

Is there an option equivalent to the -n on mount -n whereby the mount is created without writing to /etc/mtab?

Thanks

myitcv avatar Mar 18 '14 13:03 myitcv

Strange, when I try it on Ubuntu 13.10, I get a "Transport endpoint is not connected" instead of "Permission denied". I don't know much about namespaces but I wouldn't be terribly surprised if FUSE didn't support them properly yet. Sorry I can't be of more help :(

Based on a quick grep for mtab in FUSE's source, there seems to be no mount -n equivalent since FUSE seems to be doing mtab manipulation in a custom fashion. One way to disable it seems to be to recompile FUSE with ./configure --disable-mtab.

mpartel avatar Mar 18 '14 15:03 mpartel

Appreciate the quick response. I'll check back if I find anything of note.

myitcv avatar Mar 18 '14 15:03 myitcv

mount -n should not be necessary on newer systems. E.g. Debian 8. (Possibly encouraged by a systemd warning).

$ ls -l /etc/mtab
lrwxrwxrwx 1 root root 12 Oct  4  2014 /etc/mtab -> /proc/mounts

sourcejedi avatar Apr 22 '16 16:04 sourcejedi

FUSE uses /dev/fuse as the channel between kernel and user for the mounts.

paulstelian97 avatar Jun 05 '16 14:06 paulstelian97