Date: Sat, 11 Mar 2017 08:51:09 -0000 From: DaLynX <d@l.ynx.fr> To: "Alnis Morics" <alnis.moritz@gmail.com> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: Jail limited user cannot access host mountpoint although jail root can Message-ID: <PL7L9KAPUNgp59GEhp9CxekJV8LtMhuvWzrmXvdz21aa@mailpile> In-Reply-To: <e98ded48-119c-7d01-19e7-fd56f5ee0d33@gmail.com> References: <e98ded48-119c-7d01-19e7-fd56f5ee0d33@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Alnis Morics <alnis.moritz@gmail.com> wrote: > On 03/11/2017 04:59, DaLynX via freebsd-questions wrote: > > Hello, > > > > I am trying to make my setup work with jails and got stuck in the > > following situation: > > > > - Host is mounting a fuse filesystem (because I couldn't make it work directly inside the jail - although the /dev/fuse device was accessible) in the jail's chroot. > > - From root@host, everything looks fine. > > - root@jail, too, can access the mounted filesystem, read files, no problem. > > - limited@jail can see the mountpoints but cannot access them in any way (no cd, no ls...) although the file permissions look okay (it's all 755, and for some reason limited is the owner of all mountpoints). > > > > What could have gone wrong? I tried playing around with > > vfs.usermount on the host or enforce_statfs on the jail but it > > makes no difference. > > > > Any pointers would be greatly appreciated. > > > > Kind regards, > > DaLynX > > Why not use mount_nullfs(8)? Like: > > mount_nullfs <directory_on_host> > /usr/jails/<jailname>/<dir_on_jail> > > -Alnis > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions To > unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > Dear Alnis, Thank you for your answer but I fail to see how nullfs could help. Do you mean I should first mount my fusefs'es somewhere on my host - say /mnt/ - and then use nullfs to map them to the jail dirs? (/iocage/jails/<jail_id>/root/mnt/, in my case) Would there be a difference in fusefs / nullfs functionality or implementation that would explain different behaviour in the jails in the end, and the problem I am facing? If you meant using nullfs instead of fuse I am afraid you are missing the point. I want to use tools such as sshfs or archivemount, that are based on fuse. DaLynX From owner-freebsd-questions@freebsd.org Sat Mar 11 18:34:25 2017 Return-Path: <owner-freebsd-questions@freebsd.org> Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4E3E0D065CC for <freebsd-questions@mailman.ysv.freebsd.org>; Sat, 11 Mar 2017 18:34:25 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-io0-x242.google.com (mail-io0-x242.google.com [IPv6:2607:f8b0:4001:c06::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 14D65D09 for <freebsd-questions@freebsd.org>; Sat, 11 Mar 2017 18:34:25 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-io0-x242.google.com with SMTP id f84so9904718ioj.0 for <freebsd-questions@freebsd.org>; Sat, 11 Mar 2017 10:34:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=mml3IEi+nkExWAtgFwztfns/qU6ClxLfDy+HDrqdYlc=; b=ltLaQ/jbnswdnHyFrcSSLQih/rOUd3OdlbdD7Anv1OEo5j8RFvKUUrcUQB6TGSaA3k UFaOEZ7CsoCa8xL47kQRWwbJFA4pDfyVPPkxPzkMySXdo1YFlLI27umIftDyalKv3d4B f3trmSsbolR2Jwdtx58TBABqgDg5kl1Huz9FGhgNiCxjB1PWc3GkRxUadAQmdH8qI1jz AF9Mcm8vIvPulscOgkpgAC9BoNkLYDZPCoWqhKUNCzYnyJMtBUWcNQM6Zz19Oaa9e1HP zk7ljpbWmm7wVn3Zj2iflNZNH1yVLagr/+Yebx/DJpEKyodx9PrquwYV55tv6BXx8zT7 G5uQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=mml3IEi+nkExWAtgFwztfns/qU6ClxLfDy+HDrqdYlc=; b=IPzpBu3r4kgOtmqDMfBMbVFaYkj1bdy6QvAdadIq9TdATzvbD6qCj1vrkmyXO0TZEX z1BjyZ+LKyzT5MbobR8Iz97NVoS8nv3ozRWSdPbPl2lpYv7sRwbFW0RRl1kbCkgHlkQJ bCTAiKdaTSs5C1HUarPloUKE7/UJfXLt4TDA0Kt1vPuXjkeCTlmN/rckhSaytJ5MAzK9 voTc/YhfH6/b115pv3YoHowA4X0FaFXO82U7jwBUcC0jY8jt2zUys69u/HTC+D2gSh0J O+2U/Nd4vbqAFCkNw7Za/dxnb+uXpCFAfkzAFoTYR24P8oWgr5i0U789k9Ktajabbnnt 3J0A== X-Gm-Message-State: AMke39l+FeyfSrseQAw1aXe+yCfN+yli5jxo6xVbmXQ3rFwJKq/xNz+UcRwX5WAyL1SBJA== X-Received: by 10.107.146.198 with SMTP id u189mr23616017iod.173.1489257264440; Sat, 11 Mar 2017 10:34:24 -0800 (PST) Received: from [10.0.10.3] (cpe-65-25-53-157.neo.res.rr.com. [65.25.53.157]) by smtp.googlemail.com with ESMTPSA id t90sm6004162ioi.31.2017.03.11.10.34.23 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 11 Mar 2017 10:34:23 -0800 (PST) Message-ID: <58C44333.4080003@gmail.com> Date: Sat, 11 Mar 2017 13:34:27 -0500 From: Ernie Luzar <luzar722@gmail.com> User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: DaLynX <d@l.ynx.fr> CC: Alnis Morics <alnis.moritz@gmail.com>, freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: Jail limited user cannot access host mountpoint although jail root can References: <e98ded48-119c-7d01-19e7-fd56f5ee0d33@gmail.com> <PL7L9KAPUNgp59GEhp9CxekJV8LtMhuvWzrmXvdz21aa@mailpile> In-Reply-To: <PL7L9KAPUNgp59GEhp9CxekJV8LtMhuvWzrmXvdz21aa@mailpile> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions <freebsd-questions.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>; List-Post: <mailto:freebsd-questions@freebsd.org> List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=subscribe> X-List-Received-Date: Sat, 11 Mar 2017 18:34:25 -0000 DaLynX via freebsd-questions wrote: > Alnis Morics <alnis.moritz@gmail.com> wrote: >> On 03/11/2017 04:59, DaLynX via freebsd-questions wrote: >>> Hello, >>> >>> I am trying to make my setup work with jails and got stuck in the >>> following situation: >>> >>> - Host is mounting a fuse filesystem (because I couldn't make it work directly inside the jail - although the /dev/fuse device was accessible) in the jail's chroot. >>> - From root@host, everything looks fine. >>> - root@jail, too, can access the mounted filesystem, read files, no problem. >>> - limited@jail can see the mountpoints but cannot access them in any way (no cd, no ls...) although the file permissions look okay (it's all 755, and for some reason limited is the owner of all mountpoints). >>> >>> What could have gone wrong? I tried playing around with >>> vfs.usermount on the host or enforce_statfs on the jail but it >>> makes no difference. >>> >>> Any pointers would be greatly appreciated. >>> >>> Kind regards, >>> DaLynX >> Why not use mount_nullfs(8)? Like: >> >> mount_nullfs <directory_on_host> >> /usr/jails/<jailname>/<dir_on_jail> >> >> -Alnis > > Dear Alnis, > > Thank you for your answer but I fail to see how nullfs could > help. Do you mean I should first mount my fusefs'es somewhere on > my host - say /mnt/ - and then use nullfs to map them to the jail > dirs? (/iocage/jails/<jail_id>/root/mnt/, in my case) > > Would there be a difference in fusefs / nullfs functionality or > implementation that would explain different behaviour in the > jails in the end, and the problem I am facing? > > If you meant using nullfs instead of fuse I am afraid you are > missing the point. I want to use tools such as sshfs or > archivemount, that are based on fuse. > It's my understanding that fuse just does not play well with jails. This has been known for a long time but just not general public knowledge. There have been many reports from people trying to use fuse to mount the shared binary running system at jail start time without any success. The resulting solution is to use nullfs mounts. I think what the previous post is saying; is to use nullfs to mount the shared binary running system. Then try to activate fuse for the other tasks using the poststart.exec variable. That way the jail is up and running before any fuse things are started. If that don't work them you have to accept that those fuse based tools are NOT going to be able to run in a jail. They were never designed with jails in mind.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?PL7L9KAPUNgp59GEhp9CxekJV8LtMhuvWzrmXvdz21aa>