Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Mounting as non-root (FUSE) ?

12 views
Skip to first unread message

Kenny McCormack

unread,
Dec 1, 2022, 4:12:22 AM12/1/22
to
I know that with sshfs, I can mount things as an ordinary user. This uses
the "FUSE" system, which involves some setuid programs to achieve the
magic. Note, incidentally, that /usr/bin/sshfs is *not* setuid, but
/bin/fusermount is.

The question is: Can this be generalized? Can I use the FUSE idea to do a
non-sshfs type mount? What I have in mind is something like:

$ mke2fs file 10m
$ mkdir /tmp/goofy
$ mount file /tmp/goofy

Obviously, the "mount" fails, but there's no real reason why it should have
to - if I could use the FUSE idea to mount it. Note that the mount would
only be visible to me, not to other users (this is also the case with sshfs).
(Yes, I know there is an option with FUSE/sshfs to *make* it globally
visible; enabling this option requires root access)

Is this possible?

--
The randomly chosen signature file that would have appeared here is more than 4
lines long. As such, it violates one or more Usenet RFCs. In order to remain
in compliance with said RFCs, the actual sig can be found at the following URL:
http://user.xmission.com/~gazelle/Sigs/Noam

Marco Moock

unread,
Dec 1, 2022, 4:41:25 AM12/1/22
to
Am 01.12.2022 schrieb gaz...@shell.xmission.com (Kenny McCormack):

> The question is: Can this be generalized? Can I use the FUSE idea to
> do a non-sshfs type mount? What I have in mind is something like:

From the manpage:

fusermount3 is a program to mount and unmount FUSE
filesystems. It should be called directly only for unmounting
FUSE file systems. To al‐ low mounting and unmounting by
unprivileged users, fusermount3 needs to be installed set-uid
root.

Use fusermount instead if mount and set the setuid.

Kenny McCormack

unread,
Dec 1, 2022, 5:11:57 AM12/1/22
to
In article <tm9ss0$2oo3t$2...@dont-email.me>, Marco Moock <mo...@posteo.de> wrote:
>Am 01.12.2022 schrieb gaz...@shell.xmission.com (Kenny McCormack):
>
>> The question is: Can this be generalized? Can I use the FUSE idea to
>> do a non-sshfs type mount? What I have in mind is something like:
>
>From the manpage:
>
> fusermount3 is a program to mount and unmount FUSE
> filesystems. It should be called directly only for unmounting
> FUSE file systems. To allow mounting and unmounting by
> unprivileged users, fusermount3 needs to be installed set-uid
> root.
>
>Use fusermount instead if mount and set the setuid.
>

With all due respect, I think you missed the point.

fusermount is only documented for end-user use to unmount, not to mount.

So, although it may be possible to use it that way, it is:
A) Not intended to be used that way.
B) I'd just be guessing if I tried to figure it out.

--
If there is anything more pathetic than Dr. Donald Trump, MD, giving out medical
advice, it is the pathetic followers of Dr. Trump trying to implement said advice.

Scott Lurndal

unread,
Dec 1, 2022, 10:25:31 AM12/1/22
to
gaz...@shell.xmission.com (Kenny McCormack) writes:
>I know that with sshfs, I can mount things as an ordinary user. This uses
>the "FUSE" system, which involves some setuid programs to achieve the
>magic. Note, incidentally, that /usr/bin/sshfs is *not* setuid, but
>/bin/fusermount is.
>
>The question is: Can this be generalized? Can I use the FUSE idea to do a
>non-sshfs type mount? What I have in mind is something like:
>
>$ mke2fs file 10m
>$ mkdir /tmp/goofy
>$ mount file /tmp/goofy


$ mount -o loop,rw file /tmp/goofy

Kenny McCormack

unread,
Dec 1, 2022, 10:53:07 AM12/1/22
to
In article <HH3iL.2758$lzK9...@fx35.iad>,
mount: only root can use "--options" option
$ mount file /tmp/goofy
mount: only root can do that
$

Do you think that maybe, just maybe, I had tried all that before starting
this thread?

And, by the way, when you Google this, most of the hits talk about
modifying /etc/fstab (which, of course, requires root access). And that's
not really such a bad idea (if you *do* have root access), except of course
that the whole point of the exercise is to be able to do it w/o having root
access on the system.

--
So to cure the problem of arrogant incompetent rich people we should turn
the government over to an arrogant incompetent trust fund billionaire
who knows nothing about government and who has never held a job in his
entire spoiled life?

Scott Lurndal

unread,
Dec 1, 2022, 11:14:53 AM12/1/22
to
gaz...@shell.xmission.com (Kenny McCormack) writes:
>In article <HH3iL.2758$lzK9...@fx35.iad>,
>Scott Lurndal <sl...@pacbell.net> wrote:
>>gaz...@shell.xmission.com (Kenny McCormack) writes:
>>>I know that with sshfs, I can mount things as an ordinary user. This uses
>>>the "FUSE" system, which involves some setuid programs to achieve the
>>>magic. Note, incidentally, that /usr/bin/sshfs is *not* setuid, but
>>>/bin/fusermount is.
>>>
>>>The question is: Can this be generalized? Can I use the FUSE idea to do a
>>>non-sshfs type mount? What I have in mind is something like:
>>>
>>>$ mke2fs file 10m
>>>$ mkdir /tmp/goofy
>>>$ mount file /tmp/goofy
>>
>>
>>$ mount -o loop,rw file /tmp/goofy
>>
>
> $ mount -o loop,rw file /tmp/goofy
> mount: only root can use "--options" option
> $ mount file /tmp/goofy
> mount: only root can do that
> $
>
>Do you think that maybe, just maybe, I had tried all that before starting
>this thread?

The idea is to make a small suid-root utility that does the
above loopback mount. Much like fusermount.

Kenny McCormack

unread,
Dec 1, 2022, 12:37:31 PM12/1/22
to
In article <Yp4iL.2766$lzK9...@fx35.iad>,
Sounds good. Can you give me the root password for the machine on which I
need to do this? Thanks.

'Cause I'll need that in order to create that suid-root utility...

Anyway, let's get back on topic. Can it be done using fusermount?
Like sshfs (which is not setuid, as was mentioned in the OP) does it.

--
The book "1984" used to be a cautionary tale;
Now it is a "how-to" manual.

James K. Lowden

unread,
Dec 1, 2022, 3:28:13 PM12/1/22
to
On Thu, 1 Dec 2022 17:37:26 -0000 (UTC)
gaz...@shell.xmission.com (Kenny McCormack) wrote:

> >The idea is to make a small suid-root utility that does the
> >above loopback mount. Much like fusermount.
> >
>
> Sounds good. Can you give me the root password for the machine on
> which I need to do this? Thanks.
>
> 'Cause I'll need that in order to create that suid-root utility...

I think you're asking a reasonable question, and then inhibiting the
discussion with rather too much snark.

I think your question is: Can I mount anything without root
privileges? The answer seems to be No, but might be Yes. I'm just a
Linux security tourist. I don't live there or work there.

On NetBSD, under some security models, the answer is Yes. If the user
has privileges on the device and mount directory, the mount succeeds.
This was especially helpful back in the day of spinning round plastic,
then known as a "CD-ROM".

A quick scan of the Linux mount(8) man page reveals

context=context

and brethren. That looks like the way there.

I don't think the fact that FUSE supplies the device from a
user-owned gadget matters to the security model, because the operations
pass through the kernel.

> Can you give me the root password for the machine

If you expect to do any root thing without root privileges, you're
going to be disappointed. The security begins with deny, and can be
relaxed only by a user with sufficient privileges.

The guy who wrote fusermount didn't know the root password on your
machine, and his executable didn't come with set-uid magically turned
on. The binary gained that privilege when you, as a privileged user,
granted it.

HTH.

--jkl

Ben Bacarisse

unread,
Dec 1, 2022, 6:00:00 PM12/1/22
to
gaz...@shell.xmission.com (Kenny McCormack) writes:

> I know that with sshfs, I can mount things as an ordinary user. This uses
> the "FUSE" system, which involves some setuid programs to achieve the
> magic. Note, incidentally, that /usr/bin/sshfs is *not* setuid, but
> /bin/fusermount is.
>
> ... Can I use the FUSE idea to do a
> non-sshfs type mount? What I have in mind is something like:
>
> $ mke2fs file 10m
> $ mkdir /tmp/goofy
> $ mount file /tmp/goofy

I think the answer to the specific question -- can you use fuse to do
this -- is no.

Now I know you get shirty if people suggest work-arounds, but do you
have, and can you use, udisksctl?

--
Ben.

Mikko Rauhala

unread,
Dec 2, 2022, 6:41:14 PM12/2/22
to
On Thu, 1 Dec 2022 09:12:17 -0000 (UTC), Kenny McCormack
<gaz...@shell.xmission.com> wrote:
> The question is: Can this be generalized? Can I use the FUSE idea to do a
> non-sshfs type mount? What I have in mind is something like:
>
> $ mke2fs file 10m
> $ mkdir /tmp/goofy
> $ mount file /tmp/goofy

You'll want fuse2fs for this in particular, as the format will have to
be supported byc the fuse client. There are fuse clients for some other
formats as well (eg. fuseiso).

There used to be a mountlo project which ran an entire User Mode Linux
instance to mount the image and then expose it to the host kernel
through FUSE, giving you the ability to FUSE mount any Linux-supported
image, but seems at a glance that the project's not very alive these
days. Was an amusing kludge though.

--
Mikko Rauhala - m...@iki.fi - http://rauhala.org/

Kenny McCormack

unread,
Dec 2, 2022, 7:33:08 PM12/2/22
to
In article <slrntol38...@shadow.rauhala.org>,
Very interesting. Thanks.

I'll look into it.

But it sounds like the basic answer is that, yes, it can be done, but you
do need to have a driver for each thing (type) that you want to mount.

Note, BTW, that a recent version (I don't know off hand it is the
latest/current version of NTFS drivers or not) of the NTFS driver used
FUSE, so I know that it is possible to have FUSE drivers for things other
than sshfs.

--
"Every time Mitt opens his mouth, a swing state gets its wings."

(Should be on a bumper sticker)
0 new messages