From owner-freebsd-questions@freebsd.org Sat Mar 11 17:52:41 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A6C07D08252 for ; Sat, 11 Mar 2017 17:52:41 +0000 (UTC) (envelope-from d@l.ynx.fr) Received: from mailer.daserv.fr (daserv.fr [91.121.223.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 72C61D85 for ; Sat, 11 Mar 2017 17:52:40 +0000 (UTC) (envelope-from d@l.ynx.fr) Received: from mailpile.local (mailpile.ynx.fr [192.168.1.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailer.daserv.fr (Postfix) with ESMTPS id 37C1E469; Sat, 11 Mar 2017 17:42:28 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ynx.fr; s=YNX_KEY; t=1489250548; bh=FRe7C2l0Z9+RvxoldMzf9RTX6NekgVxL92e0nDEmlq0=; h=Subject:From:To:Cc:In-Reply-To:References:Date; b=jIYKayUwlPCJ4QVLtdP/A0JOCxbVf32HCTCqmv2QPpwVpW6BdDIzfqeLx1f4/N1SE 3afheb2Ljihbq2v8lkF1cw/lFHjznUP0lCwR8rVlKEMfP9OSirK/WAF3lrkY5z4YuU 51Q6Ug3YUqCyScPTYKErRTRWeYZxJPDAuWil1Sxg= MIME-Version: 1.0 Subject: Re: Jail limited user cannot access host mountpoint although jail root can From: DaLynX To: "Alnis Morics" Cc: freebsd-questions In-Reply-To: References: User-Agent: Mailpile Message-Id: Date: Sat, 11 Mar 2017 08:51:09 -0000 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Mar 2017 17:52:41 -0000 Alnis Morics wrote: > On 03/11/2017 04:59, DaLynX via freebsd-questions wrote: > > Hello, > > > > I am trying to make my setup work with jails and got stuck in the > > following situation: > > > > - Host is mounting a fuse filesystem (because I couldn't make it work directly inside the jail - although the /dev/fuse device was accessible) in the jail's chroot. > > - From root@host, everything looks fine. > > - root@jail, too, can access the mounted filesystem, read files, no problem. > > - limited@jail can see the mountpoints but cannot access them in any way (no cd, no ls...) although the file permissions look okay (it's all 755, and for some reason limited is the owner of all mountpoints). > > > > What could have gone wrong? I tried playing around with > > vfs.usermount on the host or enforce_statfs on the jail but it > > makes no difference. > > > > Any pointers would be greatly appreciated. > > > > Kind regards, > > DaLynX > > Why not use mount_nullfs(8)? Like: > > mount_nullfs > /usr/jails// > > -Alnis > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions To > unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > Dear Alnis, Thank you for your answer but I fail to see how nullfs could help. Do you mean I should first mount my fusefs'es somewhere on my host - say /mnt/ - and then use nullfs to map them to the jail dirs? (/iocage/jails//root/mnt/, in my case) Would there be a difference in fusefs / nullfs functionality or implementation that would explain different behaviour in the jails in the end, and the problem I am facing? If you meant using nullfs instead of fuse I am afraid you are missing the point. I want to use tools such as sshfs or archivemount, that are based on fuse. DaLynX From owner-freebsd-questions@freebsd.org Sat Mar 11 18:34:25 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4E3E0D065CC for ; Sat, 11 Mar 2017 18:34:25 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-io0-x242.google.com (mail-io0-x242.google.com [IPv6:2607:f8b0:4001:c06::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 14D65D09 for ; Sat, 11 Mar 2017 18:34:25 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-io0-x242.google.com with SMTP id f84so9904718ioj.0 for ; Sat, 11 Mar 2017 10:34:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=mml3IEi+nkExWAtgFwztfns/qU6ClxLfDy+HDrqdYlc=; b=ltLaQ/jbnswdnHyFrcSSLQih/rOUd3OdlbdD7Anv1OEo5j8RFvKUUrcUQB6TGSaA3k UFaOEZ7CsoCa8xL47kQRWwbJFA4pDfyVPPkxPzkMySXdo1YFlLI27umIftDyalKv3d4B f3trmSsbolR2Jwdtx58TBABqgDg5kl1Huz9FGhgNiCxjB1PWc3GkRxUadAQmdH8qI1jz AF9Mcm8vIvPulscOgkpgAC9BoNkLYDZPCoWqhKUNCzYnyJMtBUWcNQM6Zz19Oaa9e1HP zk7ljpbWmm7wVn3Zj2iflNZNH1yVLagr/+Yebx/DJpEKyodx9PrquwYV55tv6BXx8zT7 G5uQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=mml3IEi+nkExWAtgFwztfns/qU6ClxLfDy+HDrqdYlc=; b=IPzpBu3r4kgOtmqDMfBMbVFaYkj1bdy6QvAdadIq9TdATzvbD6qCj1vrkmyXO0TZEX z1BjyZ+LKyzT5MbobR8Iz97NVoS8nv3ozRWSdPbPl2lpYv7sRwbFW0RRl1kbCkgHlkQJ bCTAiKdaTSs5C1HUarPloUKE7/UJfXLt4TDA0Kt1vPuXjkeCTlmN/rckhSaytJ5MAzK9 voTc/YhfH6/b115pv3YoHowA4X0FaFXO82U7jwBUcC0jY8jt2zUys69u/HTC+D2gSh0J O+2U/Nd4vbqAFCkNw7Za/dxnb+uXpCFAfkzAFoTYR24P8oWgr5i0U789k9Ktajabbnnt 3J0A== X-Gm-Message-State: AMke39l+FeyfSrseQAw1aXe+yCfN+yli5jxo6xVbmXQ3rFwJKq/xNz+UcRwX5WAyL1SBJA== X-Received: by 10.107.146.198 with SMTP id u189mr23616017iod.173.1489257264440; Sat, 11 Mar 2017 10:34:24 -0800 (PST) Received: from [10.0.10.3] (cpe-65-25-53-157.neo.res.rr.com. [65.25.53.157]) by smtp.googlemail.com with ESMTPSA id t90sm6004162ioi.31.2017.03.11.10.34.23 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 11 Mar 2017 10:34:23 -0800 (PST) Message-ID: <58C44333.4080003@gmail.com> Date: Sat, 11 Mar 2017 13:34:27 -0500 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: DaLynX CC: Alnis Morics , freebsd-questions Subject: Re: Jail limited user cannot access host mountpoint although jail root can References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Mar 2017 18:34:25 -0000 DaLynX via freebsd-questions wrote: > Alnis Morics wrote: >> On 03/11/2017 04:59, DaLynX via freebsd-questions wrote: >>> Hello, >>> >>> I am trying to make my setup work with jails and got stuck in the >>> following situation: >>> >>> - Host is mounting a fuse filesystem (because I couldn't make it work directly inside the jail - although the /dev/fuse device was accessible) in the jail's chroot. >>> - From root@host, everything looks fine. >>> - root@jail, too, can access the mounted filesystem, read files, no problem. >>> - limited@jail can see the mountpoints but cannot access them in any way (no cd, no ls...) although the file permissions look okay (it's all 755, and for some reason limited is the owner of all mountpoints). >>> >>> What could have gone wrong? I tried playing around with >>> vfs.usermount on the host or enforce_statfs on the jail but it >>> makes no difference. >>> >>> Any pointers would be greatly appreciated. >>> >>> Kind regards, >>> DaLynX >> Why not use mount_nullfs(8)? Like: >> >> mount_nullfs >> /usr/jails// >> >> -Alnis > > Dear Alnis, > > Thank you for your answer but I fail to see how nullfs could > help. Do you mean I should first mount my fusefs'es somewhere on > my host - say /mnt/ - and then use nullfs to map them to the jail > dirs? (/iocage/jails//root/mnt/, in my case) > > Would there be a difference in fusefs / nullfs functionality or > implementation that would explain different behaviour in the > jails in the end, and the problem I am facing? > > If you meant using nullfs instead of fuse I am afraid you are > missing the point. I want to use tools such as sshfs or > archivemount, that are based on fuse. > It's my understanding that fuse just does not play well with jails. This has been known for a long time but just not general public knowledge. There have been many reports from people trying to use fuse to mount the shared binary running system at jail start time without any success. The resulting solution is to use nullfs mounts. I think what the previous post is saying; is to use nullfs to mount the shared binary running system. Then try to activate fuse for the other tasks using the poststart.exec variable. That way the jail is up and running before any fuse things are started. If that don't work them you have to accept that those fuse based tools are NOT going to be able to run in a jail. They were never designed with jails in mind.