Sshfs needs doas, how to use sshfs as an unprivileged user?

Using a fresh install of FreeBSD 13.0. I'm trying to mount a remote directory on a linux server via sshfs with the following command:

sshfs user@x.x.x.x:/home/user/Dir/dir/ /usr/home/anotheruser/DestinationDir/ -p1234 -v -o idmap=user,uid=X,guid=Y,allow_other,follow_symlinks,reconnect

The command fails with the following statement:

mount_fusefs: /dev/fuse on /usr/home/anotheruser/DestinationDir: Operation not permitted

user_allow_other is in fuse.conf

When using:

doas sshfs user@x.x.x.x:/home/user/Dir/dir/ /usr/home/anotheruser/DestinationDir/ -p1234 -v -o idmap=user,uid=X,guid=Y,allow_other,follow_symlinks,reconnect

the remote directory will mount.

I know I must be missing something, but I don't know what.

Does anybody know what is needed to be able to use sshfs without doas?
 
the sysctl vfs.usermount=1 is needed
Hi rootbert,
Thank you.
I set the above value in /etc/sysctl.conf, (rebooted) and verified it with sysctl -a | grep vfs.usermount, which gives vfs.usermount= 1.
Sshfs still needs doas.

Any other ideas?
 
Sshfs still needs doas.
I'm using sshfs, but I don't need doas/super/sudo etc. to use it; In your first post there's a hint to /dev/fuse… Maybe: Does your user has the permission to use this device? Check the group of that device, and check if your user belongs to that group. Mine does.
 
I'm trying to mount a remote directory on a linux server via sshfs with the following command:

sshfs user@x.x.x.x:/home/user/Dir/dir/ /usr/home/anotheruser/DestinationDir/ -p1234 -v -o idmap=user,uid=X,guid=Y,allow_other,follow_symlinks,reconnect

Set vfs.usermount=1 and remove allow_other option.

mount_fusefs(8):
Code:
allow_other
                     Do not apply STRICT ACCESS POLICY.  Only root can use
                     this option.

user_allow_other is in fuse.conf

Is not supported on FreeBSD, it seems.
 
I'm using sshfs, but I don't need doas/super/sudo etc. to use it; In your first post there's a hint to /dev/fuse… Maybe: Does your user has the permission to use this device? Check the group of that device, and check if your user belongs to that group. Mine does.
Hi jmos,

Thank you.

ls -lah /dev/fuse gives:

crw-rw-rw- 1 root operator 0x3f Jan14 16:56 /dev/fuse

My user is a member of group operator, this does not seem to be the problem.
 
A little bit of a workaround but can you make the sshfs program setuid?

Code:
# cp /usr/local/bin/sshfs /usr/local/bin/mount_ssh
# chown root:<username> /usr/local/bin/mount_ssh
# chmod u=rwxs,go=rx /usr/local/bin/mount_ssh

Now, when any user in the <username> group executes the binary, it will run as root.
You might want to copy and try it out on the /usr/bin/whoami program first.

Warning: It is very easy with setuid to introduce unintended backdoors. I *believe* sshfs and whoami will not pose a problem but be careful :)
 
A little bit of a workaround but can you make the sshfs program setuid?

Code:
# cp /usr/local/bin/sshfs /usr/local/bin/mount_ssh
# chown root:<username> /usr/local/bin/mount_ssh
# chmod u=rwxs,go=rx /usr/local/bin/mount_ssh

Now, when any user in the <username> group executes the binary, it will run as root.
You might want to copy and try it out on the /usr/bin/whoami program first.
Hi kpedersen,
Interesting idea, but I prefer to use sshfs with an unprivileged user.
Thanks for the suggestion.
 
and potentially a security issue. You really should mention that when suggesting changing random programs to setuid.
A fair point, but I am not sure it reduces security in this case any more than allowing a user to run it via sudo / doas. Though I will edit my post.

Weirdly I didn't see the OP had solved the issue with allow_other prior to my post!
 
Back
Top