Sshfs needs doas, how to use sshfs as an unprivileged user?

E

Ethish

Using a fresh install of FreeBSD 13.0. I'm trying to mount a remote directory on a linux server via sshfs with the following command:

sshfs user@x.x.x.x:/home/user/Dir/dir/ /usr/home/anotheruser/DestinationDir/ -p1234 -v -o idmap=user,uid=X,guid=Y,allow_other,follow_symlinks,reconnect

The command fails with the following statement:

mount_fusefs: /dev/fuse on /usr/home/anotheruser/DestinationDir: Operation not permitted

user_allow_other is in fuse.conf

When using:

doas sshfs user@x.x.x.x:/home/user/Dir/dir/ /usr/home/anotheruser/DestinationDir/ -p1234 -v -o idmap=user,uid=X,guid=Y,allow_other,follow_symlinks,reconnect

the remote directory will mount.

I know I must be missing something, but I don't know what.

Does anybody know what is needed to be able to use sshfs without doas?
 
rootbert said:
the sysctl vfs.usermount=1 is needed
Click to expand...
Hi rootbert,
Thank you.
I set the above value in /etc/sysctl.conf, (rebooted) and verified it with sysctl -a | grep vfs.usermount, which gives vfs.usermount= 1.
Sshfs still needs doas.

Any other ideas?
 
Ethish said:
Sshfs still needs doas.
Click to expand...
I'm using sshfs, but I don't need doas/super/sudo etc. to use it; In your first post there's a hint to /dev/fuse… Maybe: Does your user has the permission to use this device? Check the group of that device, and check if your user belongs to that group. Mine does.
 
Ethish said:
I'm trying to mount a remote directory on a linux server via sshfs with the following command:

sshfs user@x.x.x.x:/home/user/Dir/dir/ /usr/home/anotheruser/DestinationDir/ -p1234 -v -o idmap=user,uid=X,guid=Y,allow_other,follow_symlinks,reconnect
Click to expand...

Set vfs.usermount=1 and remove allow_other option.

mount_fusefs(8):
Code: 
allow_other
                     Do not apply STRICT ACCESS POLICY.  Only root can use
                     this option.

Ethish said:
user_allow_other is in fuse.conf
Click to expand...

Is not supported on FreeBSD, it seems.
 
jmos said:
I'm using sshfs, but I don't need doas/super/sudo etc. to use it; In your first post there's a hint to /dev/fuse… Maybe: Does your user has the permission to use this device? Check the group of that device, and check if your user belongs to that group. Mine does.
Click to expand...
Hi jmos,

Thank you.

ls -lah /dev/fuse gives:

crw-rw-rw- 1 root operator 0x3f Jan14 16:56 /dev/fuse

My user is a member of group operator, this does not seem to be the problem.
 
A little bit of a workaround but can you make the sshfs program setuid?

Code: 
# cp /usr/local/bin/sshfs /usr/local/bin/mount_ssh
# chown root:<username> /usr/local/bin/mount_ssh
# chmod u=rwxs,go=rx /usr/local/bin/mount_ssh

Now, when any user in the <username> group executes the binary, it will run as root.
You might want to copy and try it out on the /usr/bin/whoami program first.

Warning: It is very easy with setuid to introduce unintended backdoors. I *believe* sshfs and whoami will not pose a problem but be careful :)
 
kpedersen said:
A little bit of a workaround but can you make the sshfs program setuid?

Code: 
# cp /usr/local/bin/sshfs /usr/local/bin/mount_ssh
# chown root:<username> /usr/local/bin/mount_ssh
# chmod u=rwxs,go=rx /usr/local/bin/mount_ssh

Now, when any user in the <username> group executes the binary, it will run as root.
You might want to copy and try it out on the /usr/bin/whoami program first.
Click to expand...
Hi kpedersen,
Interesting idea, but I prefer to use sshfs with an unprivileged user.
Thanks for the suggestion.
 
tingo said:
and potentially a security issue. You really should mention that when suggesting changing random programs to setuid.
Click to expand...
A fair point, but I am not sure it reduces security in this case any more than allowing a user to run it via sudo / doas. Though I will edit my post.

Weirdly I didn't see the OP had solved the issue with allow_other prior to my post!
 
You must log in or register to reply here.
Back
Top