I am new to fuse. I have mounted fuse by the following command.
/mnt/fuse -o default_permissions -o allow_other -o nonempty -o hard_remove –d
Now If I login as "test" user and tried to create a file called "testfile".
test#11540302:/registration> touch testfile
touch: setting times of `testfile': Permission denied
Strace output:
uname({sys="Linux", node="11540302", ...}) = 0
brk(0) = 0x8055000
brk(0x8076000) = 0x8076000
open("testfile", O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK|O_LARGEFILE, 0666) = 3
dup2(3, 0) = 0
close(3) = 0
utimensat(0, NULL, NULL, 0) = -1 EACCES (Permission denied)
close(0) = 0
But "testfile" creation is successful with owner as root user,
-rw-r--r-- 1 root trusted 0 Jan 19 13:51 testfile
I can understand that fuse application is running in root level, file creation happened with the owner as root. Because of that test user cannot perform any operation on "testfile".
My question:
Since I have given "allow_other" while mounting, why test user cannot having privileges to access the "testfile"?
Please correct me if my understanding is wrong.
I got the solution for this problem.
Detailed explanation for this issue.
Solution:
As #dirkt said we need to handle permissions on our own.
Code to get the caller uid and gid:
fuse_get_context()->uid;
fuse_get_context()->gid;
Get the caller user id and group id and set the ownership of the file/directory while creating via fuse API's.
Always there is room for improvement. Kindly correct me if I am not correct.
Thank you dirkt for your explanation.
Try adding the test user to the fuse group:
usermod -a -G fuse test
Also, make sure that #user_allow_other is uncommented on the fuse configuration file (generally on /etc/fuse.conf):
sed -i -e "s/#user_allow_other/user_allow_other/gi" /etc/fuse.conf
After running either of those, reboot the computer and try again.
Related
I have a script written by someone else, which mounts a file system, and I would like to reproduce it.
The script has been compiled with shc, and is used to mount a filesystem for a particular user, but is able to be run with root priveleges. The guess is it does something like this mount_script.sh:
#!/bin/bash
mount -t cifs -o username=$USER,domain=my_domain //hostname.com/Files /mnt/${USER}-drive
I have compiled the script with shc and then applied
chmod u+s mount_script.sh.x
so that
-rwsr-xr-x. 1 root root 11088 Feb 15 14:11 mount_script.sh.x
matches the original compiled bash script's permissions, the original is wrapped with the following mount_drive.sh
#!/bin/bash
if [ "$(mountpoint -q /mnt/${USER}-drive/ && echo "mounted" || echo "not mounted")" = "not mounted" ]; then
echo
echo "Not mounted, running mount script..."
echo
mount_script.sh.x
else
echo
echo "The drive is already mounted at /mnt/${USER}-drive..."
echo
fi
WIth permissions:
-rwxr-xr-x 1 root root 335 Sep 20 10:58 /usr/local/bin/mount_drive.sh
When I try and run it as my normal user i get:
Not mounted, running mount script...
mount: only root can use "--options" option
What should the script contain to avoid this probelm and allow the $USER to run it successfully?
Is there any reason this would be a stupid idea from a security perspective?
Thanks!
If this is NOT intended for multiple users, then the simplest (and most secure) method is for the partition to be mounted via fstab with a specified user as owner of the partition and restricted privileges. Namely,
UUID={something} / ext4 defaults,nosuid,uid=1000,gid=1000,fmask=0077,dmask=0077 0 1
That would have the partition mounted every time the system boots, but only the specified user could access that (or anyone with sudo privileges able to assume that identity). If that leaves it too open, you could consider whether to encrypt that partition as well. Implementing that is beyond my experience, but would allow only that user to mount/use/access on basis of the password required to mount. You also have to control the who and how the partition encryption password is changed.
If you pursue the encryption option, you can avoid the fstab approach, and allow the user to mount/unmount at will, since he would be the only one with the password.
The danger with encryption is that when the password is set, it needs to be stored securely, so that administrators can use to recover data when (not if) the organization loses the person that had the "master key".
I'm using QEMU to test Raspberry Pi before putting the image onto an SD card. I'm setting up an automated script to put some files onto the Pi, among other things, so that when I put the SD card into the Pi, it is immediately usable. I think I've run into a quirk in how permissions work, but I'm not sure.
When you run test -x, the file is supposed to be executable. Basically, the x bit is supposed to be on for your user. However, this doesn't seem to apply to files inside mounted filesystems.
The host is Ubuntu, and the guest backing image is Raspberry Pi Buster. I created the mountpoint with guestmount, because I was mounting a snapshot, not the original, and this seems to be the only/best way to do that. The basic flow was:
qemu-img convert -Oqcow2 raspberry-pi.img raspberry-pi.qcow
qemu-img create -f qcow2 snapshot.qcow -b raspberry-pi.qcow
sudo guestmount -a 'snapshot.qcow' -i 'mountpoint/'
For example, I have a file outside the repository. The file I'm testing inside the mountpoint was created by root, so I chmoded this file to root for comparison:
$ sudo ls -l --author ~/test/file
-rw-r--r-- 1 root root root 1133 Oct 8 21:43 /home/me/test/file
$ sudo test -x ~/test/file && echo 'exists' || echo 'doesn\'t exist'
doesn't exist
However, for a file inside the mountpoint, with the same permissions, the test is successful:
$ sudo ls -l --author mountpoint/home/pi/test/file
-rw-r--r-- 1 root root root 0 Oct 8 22:41 mountpoint/home/pi/test/file
$ sudo test -x ~/test/file && echo 'exists' || echo 'doesn\'t exist'
exists
Why is the file inside the mountpoint executable, whereas the one outside is not executable? Is this because the mounted filesystem is a different architecture (x86 vs. ARM)? Is it because I'm using guestmount, and the filesystem isn't the real filesysem, but an amalgamation of the snapshot & the original file? Or is this just the way mounting works? Where can I find more resources on this peculiar behavior, like other permission quirks I might encounter?
If you need any more information about the host or guest, please ask.
This is a bug in libguestfs used by guestmount. You can see it here:
/* Root user should be able to access everything, so only bother
* with these fine-grained tests for non-root. (RHBZ#1106548).
*/
if (fuse->uid != 0) {
[...]
if (mask & X_OK)
ok = ok &&
( fuse->uid == statbuf.st_uid ? statbuf.st_mode & S_IXUSR
: fuse->gid == statbuf.st_gid ? statbuf.st_mode & S_IXGRP
: statbuf.st_mode & S_IXOTH);
}
The FS takes a shortcut saying that since you're root you have full access, so there's no point checking the permissions.
As you've demonstrated, this is not true. Root should only have execute permissions for directories, and for files where at least one of the execute bits is set.
I was unable to build the project to submit a patch, but you can file a bug.
I'm wondering why my version of mount appears to ignore the effective user ID...
I have this C program owned by root with permission u+s:
int main() {
execl("/bin/mount", "/bin/mount", "/mnt/abc", (char *)0);
}
When a regular user runs it, it complains about not being root. I can work around it like this:
int main() {
setuid(0);
execl("/bin/mount", "/bin/mount", "/mnt/abc", (char *)0);
}
I read that bash changes the effective uid to the real uid as a safety feature. (see Calling a script from a setuid root C program - script does not run as root) However, I don't see why mount should do that. Does anyone know?
My mount version is:
mount from util-linux 2.29.2 (libmount 2.29.2: selinux, btrfs, assert, debug)
This happens because mount is designed to run as suid root.
$ ls -l /bin/mount
-rwsr-xr-x 1 root root 44200 Mar 6 13:31 /bin/mount
^
CDs or floppy drives would typically have the user option set in fstab to allow non-root users to access removable media. mount was made SUID root to support this, and it therefore checks the real UID to determine what you're allowed to do.
Similar to this question, I am unable to unset execute permissions on files after recently upgrading Cygwin.
I have a file with the following permissions:
ls -l filename
-rw-rwxr--+ 1 gstrycker Users 1334935 Jan 26 09:23 filename
I'm trying to get rid of execute privileges, but running chmod -x or even chmod 0 does not seem to work now (note that it always did work for me before -- but I don't believe there were this many columns in the POSIX security permissions)
chmod 0 filename
ls -l filename
----rwx---+ 1 gstrycker Users 1334935 Jan 26 09:23 filename
Why can I not seem to be able to modify this central group of privileges now? I've always been able to before. I even tried to change the group owner, but that didn't seem to help.
I'm stuck -- any ideas? Is this a new Cygwin bug? Did Cygwin recently add columns to the POSIX permissions, and if so, how do I access these?
I want to create a file in a directory owned by the staff group which I am a member of. Why can I not do this?
bmccann#bmccann-htpc:~$ ls -l /usr/local/lib/R/
total 4
drwxrwsr-x 2 root staff 4096 2010-07-31 16:21 site-library
bmccann#bmccann-htpc:~$ id -nG bmccann
bmccann adm dialout cdrom plugdev staff lpadmin admin sambashare
bmccann#bmccann-htpc:~$ touch /usr/local/lib/R/site-library/tmp
touch: cannot touch `/usr/local/lib/R/site-library/tmp': Permission denied
Did you logout and log back in after making the group changes? See:
Super User answer involving touch permissions failure
I had the same issue, check if the folder has any more ACL rules or not!
If you can see + (plus sign) when you list folder, that means it has special access rules. For example:
[user_in_apache_group#web02 html]$ ls -l
total 16
drwxrwxr-x 16 apache apache 4096 Sep 4 13:46 ilias
drwxrwxr-x+ 15 apache apache 4096 Sep 4 13:46 ilias5
View the permission:
[user_in_apache_group#web02 html] getfacl ilias5
# file: ilias5
# owner: apache
# group: apache
user::rwx
user:user_in_apache_group:r-x
group::rwx
mask::rwx
other::r-x
So that means my user (user_in_apache_group) has no write permission for that folder.
The solution is what #techtonik said, add write permission for user:
[user_in_apache_group#web02 html]$ sudo setfacl -m u:user_in_apache_group:rwx ./ilias5
Check permission again:
[user_in_apache_group#web02 html] getfacl ilias5
...
user:user_in_apache_group:rwx
...
Hope it helps. ;)
Why can't Linux user edit files in group he is a part of?
I am using Ubuntu 12.04 and had the same problem where a user cannot write to a file to whom he is allowed group access to. For example:
whoami //I am user el
el
touch /foobar/test_file //make a new file
sudo chown root:www-data /foobar/test_file //User=root group=www-data
sudo chmod 474 /foobar/test_file //owner and others get only read,
//group gets rwx
sudo groupadd www-data //create group called www-data
groups //take a look at the groups and see
www-data //www-data exists.
groups el //see that el is part of www-data
el : www-data
Restart the terminal now to ensure the users
and groups have taken effect. Login as el.
vi /foobar/test_file //try to edit the file.
Produces the Warning:
Warning: W10: Warning: Changing a readonly file"
What? I've done everything right why doesn't it work?
Answer:
Do a full reboot of the computer. Stopping the terminal isn't enough to fix these problems.
I think what happens is apache2 also uses the www-data group, so the task was somehow preventing the users and groups from being enforced correctly. Not only do you have to logout, but you have to stop and restart any services that use your group. If a reboot doesn't get it, you've got bigger problems.
Use Linux ACL (access control lists) - it is more fine-grained version of permission system,
setfacl -R -m 'group:staff:rwx' -m 'd:group:staff:rwx' /usr/local/lib/R/
This sets both active rights for directory and default rights for anything created within.
This fails to work without relogin if you've just added yourself to the staff group, but you may set the permission only for yourself for the current session.
I had an issue when a user could not access the /foo/bar/baz directory even when he had permissions because he did not have an access to the bar directory.
Maybe your hard disk is full. use this command to check out the "/dev/..." rows.
df -h
Check if your parent directory have permission before you add content to that file
sudo chmod -R 777 /yourDir/file.log