Sshfs needs doas, how to use sshfs as an unprivileged user?

Ethish

New Member

Reaction score: 1
Messages: 5

Using a fresh install of FreeBSD 13.0. I'm trying to mount a remote directory on a linux server via sshfs with the following command:

sshfs user@x.x.x.x:/home/user/Dir/dir/ /usr/home/anotheruser/DestinationDir/ -p1234 -v -o idmap=user,uid=X,guid=Y,allow_other,follow_symlinks,reconnect

The command fails with the following statement:

mount_fusefs: /dev/fuse on /usr/home/anotheruser/DestinationDir: Operation not permitted

user_allow_other is in fuse.conf

When using:

doas sshfs user@x.x.x.x:/home/user/Dir/dir/ /usr/home/anotheruser/DestinationDir/ -p1234 -v -o idmap=user,uid=X,guid=Y,allow_other,follow_symlinks,reconnect

the remote directory will mount.

I know I must be missing something, but I don't know what.

Does anybody know what is needed to be able to use sshfs without doas?
 
OP
E

Ethish

New Member

Reaction score: 1
Messages: 5

the sysctl vfs.usermount=1 is needed
Hi rootbert,
Thank you.
I set the above value in /etc/sysctl.conf, (rebooted) and verified it with sysctl -a | grep vfs.usermount, which gives vfs.usermount= 1.
Sshfs still needs doas.

Any other ideas?
 

jmos

Well-Known Member

Reaction score: 232
Messages: 298

Sshfs still needs doas.
I'm using sshfs, but I don't need doas/super/sudo etc. to use it; In your first post there's a hint to /dev/fuse… Maybe: Does your user has the permission to use this device? Check the group of that device, and check if your user belongs to that group. Mine does.
 

T-Daemon

Daemon

Reaction score: 993
Messages: 1,892

I'm trying to mount a remote directory on a linux server via sshfs with the following command:

sshfs user@x.x.x.x:/home/user/Dir/dir/ /usr/home/anotheruser/DestinationDir/ -p1234 -v -o idmap=user,uid=X,guid=Y,allow_other,follow_symlinks,reconnect

Set vfs.usermount=1 and remove allow_other option.

mount_fusefs(8):
Code:
allow_other
                     Do not apply STRICT ACCESS POLICY.  Only root can use
                     this option.

user_allow_other is in fuse.conf

Is not supported on FreeBSD, it seems.
 
OP
E

Ethish

New Member

Reaction score: 1
Messages: 5

I'm using sshfs, but I don't need doas/super/sudo etc. to use it; In your first post there's a hint to /dev/fuse… Maybe: Does your user has the permission to use this device? Check the group of that device, and check if your user belongs to that group. Mine does.
Hi jmos,

Thank you.

ls -lah /dev/fuse gives:

crw-rw-rw- 1 root operator 0x3f Jan14 16:56 /dev/fuse

My user is a member of group operator, this does not seem to be the problem.
 

kpedersen

Son of Beastie

Reaction score: 2,248
Messages: 3,076

A little bit of a workaround but can you make the sshfs program setuid?

Code:
# cp /usr/local/bin/sshfs /usr/local/bin/mount_ssh
# chown root:<username> /usr/local/bin/mount_ssh
# chmod u=rwxs,go=rx /usr/local/bin/mount_ssh

Now, when any user in the <username> group executes the binary, it will run as root.
You might want to copy and try it out on the /usr/bin/whoami program first.

Warning: It is very easy with setuid to introduce unintended backdoors. I *believe* sshfs and whoami will not pose a problem but be careful :)
 
OP
E

Ethish

New Member

Reaction score: 1
Messages: 5

A little bit of a workaround but can you make the sshfs program setuid?

Code:
# cp /usr/local/bin/sshfs /usr/local/bin/mount_ssh
# chown root:<username> /usr/local/bin/mount_ssh
# chmod u=rwxs,go=rx /usr/local/bin/mount_ssh

Now, when any user in the <username> group executes the binary, it will run as root.
You might want to copy and try it out on the /usr/bin/whoami program first.
Hi kpedersen,
Interesting idea, but I prefer to use sshfs with an unprivileged user.
Thanks for the suggestion.
 

kpedersen

Son of Beastie

Reaction score: 2,248
Messages: 3,076

and potentially a security issue. You really should mention that when suggesting changing random programs to setuid.
A fair point, but I am not sure it reduces security in this case any more than allowing a user to run it via sudo / doas. Though I will edit my post.

Weirdly I didn't see the OP had solved the issue with allow_other prior to my post!
 
Top