Is it possible to enable spotlight on a volume that is not mounted as admin?

[Barry Leslie]

When testing with the loopback file system the only way I can get it to allow spotlight indexing is to start it as admin:

 sudo ./loopback /Volumes/loop3  -omodules=threadid:subdir,subdir=/Users/me/tmp  -oallow_other,native_xattr,volname=LoopbackFS3 -olocal

mdutil /Volumes/loop3 -i on
/System/Volumes/Data/Volumes/loop3:
    Indexing enabled.

If I start it with out 'sudo' I cannot enable indexing:

./loopback /Volumes/loop3  -omodules=threadid:subdir,subdir=/Users/me/tmp  -oallow_other,native_xattr,volname=LoopbackFS3 -olocal

mdutil /Volumes/loop3 -i on
/System/Volumes/Data/Volumes/loop3:
    Indexing disabled.

The documentation mentions that to be able to use allow_other you need to be running as admin or a member of the "osxfuse Admin" group.

With allow_other, the volume will be accessible normally to all users, but usual permission checks will of course apply. Note that allow_other is a privileged option in that it can only be used by either the superuser or by a user belonging to the "osxfuse Admin" group. When osxfuse loads in the kernel, it sets this group's ID to be that of the admin group on Mac OS X. The superuser can view or change this ID through the sysctl interface (note that osxfuse allows you to set any group ID you specify, even those that do not exist):

$ sudo sysctl vfs.generic.osxfuse.tunables.admin_group # get
vfs.generic.osxfuse.tunables.admin_group: 80
$ sudo sysctl -w vfs.generic.osxfuse.tunables.admin_group=81 # set
vfs.generic.osxfuse.tunables.admin_group: 80 -> 81

What is the  "osxfuse Admin" group?

Setting 

vfs.generic.osxfuse.tunables.admin_group 

to the group ID 20 (staff) doesn't have any effect.

[Barry Leslie]

This was a self inflicted problem. I had run this first with sudo and as a result the .Spotlight-V100 was created as root so that when I ran it without sudo it was not able to access it.

My general question still remains, is it possible to set the "osxfuse Admin" group so that a non admin user can run the file system and still allow spotlight to index it?

[Benjamin Fleischer]

Have a closer look at the admin_group sysctl. Set the admin group to 20 (staff) to allow non-admin users to use the allow_other option. You would need to check the setting before every mount.

However, please keep in mind that this has stability implications. Users would be able to mount all kinds of file systems and allow system processes to access them. This could lead to the system becoming unresponsive or unstable.

An alternative approach would be to write a helper with root permissions to mount just the one file system with the allow_other option.

Best regards,

Benjamin

Am 09.01.2020 um 23:52 schrieb Barry Leslie <Barry....@primebase.org>:



--
You received this message because you are subscribed to the Google Groups "OSXFUSE" group.
To unsubscribe from this group and stop receiving emails from it, send an email to osxfuse-grou...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/osxfuse-group/6e14b553-2210-4911-b327-7438e580d1da%40googlegroups.com.

[Barry Leslie]

Thanks for your reply,

Is there no way to set the default group ID value so that it is persistent between restarts of the machine?

Using a helper app to mount the system is not an option since the file system is not a standalone app but is part of a larger app that has its own user interface.

Barry

On Friday, January 10, 2020 at 4:07:45 AM UTC-8, Benjamin Fleischer wrote:

Have a closer look at the admin_group sysctl. Set the admin group to 20 (staff) to allow non-admin users to use the allow_other option. You would need to check the setting before every mount.

However, please keep in mind that this has stability implications. Users would be able to mount all kinds of file systems and allow system processes to access them. This could lead to the system becoming unresponsive or unstable.

An alternative approach would be to write a helper with root permissions to mount just the one file system with the allow_other option.

Best regards,

Benjamin

To unsubscribe from this group and stop receiving emails from it, send an email to osxfus...@googlegroups.com.