this post was submitted on 04 Apr 2024

15 points (94.1% liked)

Linux

48038 readers

751 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

[email protected]

sshfs pemission denied on root path folder (lemmy.ml)

submitted 7 months ago* (last edited 7 months ago) by [email protected] to c/[email protected]

14 comments fedilink hide all child comments

Hello !

Getting a bit annoyed with permission issues with samba and sshfs. If someone could give me some input on how to find an other more elegant and secure way to share a folder path owned by root, I would really appreciate it !

Context

The following folder path is owned by root (docker volume):

/var/lib/docker/volumes/syncthing_data/_data/folder

The child folders are owned by the user server

/var/lib/docker/volumes/syncthing_data/_data/folder

The user server is in the sudoers file
Server is in the docker groupe
fuse.confhas the user_allow_other uncommented

Mount point with sshfs

sudo sshfs [email protected]:/var/lib/docker/volumes/syncthing_data/_data/folder /home/user/folder -o allow_other

Permission denied

Things I tried

Adding other options like gid 0,27,1000 uid 0,27,1000 default_permissions...
Finding my way through stackoverflow, unix.stackexchange...

Solution I found

Making a bind mount from the root owned path to a new path owned by server

sudo mount --bind /var/lib/docker/volumes/syncthing_data/_data/folder /home/server/folder

Mount point with sshfs

sshfs [email protected]:/home/server/folder /home/user/folder

Question

While the above solution works, It overcomplicates my setup and adds an unecessary mount point to my laptop and fstab.

Isn't there a more elegant solution to work directly with the user server (which has root access) to mount the folder with sshfs directly even if the folder path is owned by root?

I mean the user has root access so something like:

sshfs [email protected]:/home/server/folder /home/user/folder -o allow_other should work even if the first part of the path is owned by root.

Changing owner/permission of the path recursively is out of question !

Thank you for your insights !

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago) (1 children)

Heyha !

Thanks for your input, you pointed the right direction ! After some more reading, this is what I found.

Adding the following line in sudoers file after @includedir /etc/sudoers.d:

server ALL = NOPASSWD: /usr/lib/openssh/sftp-server

Works without the need of a sudo session for the sftp-server. I have no idea if this is good security practice but If i had to guess I would say no. Having the NOPASSWD argument for something critical as an ftp server seems... Not a good idea ! But I'm not an expert, so I'm just guessing :/.

If I may, how would you tackle such an use case ? My first solution seems way more secure with the right permissions on the bind mount, what do you think ?

Thanks for your nice tip to right direction :D !

[–] [email protected] 1 points 7 months ago* (last edited 7 months ago) (1 children)

As far as I understand, the user server is not the user running your web server e.g. www-data, right? Otherwise I would advise against giving him elevated privileges such as sudo rights.

If the authentication of the user server has sufficiently high level, e.g. a strong password, SSH key authentication, I don't see a high risk in using the NOPASSWD method. But, as I am no expert, please take this with a grain of salt.

[–] [email protected] 1 points 7 months ago (1 children)

Sorry for the late response !

As far as I understand, the user server is not the user running your web server e.g. www-data, right?

Are you sure about that? I mean, in the sudoers file I added the user server with NOPASSWD and not www-data for the specific service. And it works that way.

Maybe I misunderstand something here, if so please correct me. Is there anyway I could check this out? Do I need to check the owner on my host or my client trying to mount the path?

Thank you !!

[–] [email protected] 1 points 7 months ago

By the 'user running the web server' I mean the user running the Apache, Ngix or whatever web server on your system. Usually, afaIk, you should not be able to login as e.g. www-data on the system. You can identify the username by running ps -ef and searching for the web server process. You'll find the corresponding user name in the first column.