fuse mount with supplementary groups
Brought to you by:
jengelh
Menu
▾
▴
#67 fuse mount with supplementary groups
I can mount share manually with either encfs or mount.fuse as user test (which is a member of 'fuse' group) but not using pam_mount. It seems that using fuse filesystem is making trouble in context of supplementary groups:
line from /etc/security/pam_mount.conf.xml:
<volume user="test" fstype="fuse" path="encfs#/home/test/.encfs/private" mountpoint="/home/test/private_test" options="nonempty" noroot="1" />
user test id:
uid=1000(test) gid=1000(test) groups=100(users),115(fuse),1000(test)
auth.log:
command: [mount.fuse] [encfs#/home/test/.encfs/private] [/home/test/private_test] [-o] [nonempty]
pam_mount(spawn.c:107): setting uid to user test
login[5620]: pam_mount(misc.c:38): set_myuid<post>: (uid=1000, euid=1000, gid=1000, egid=1000)
pam_mount(mount.c:64): Errors from underlying mount program:
pam_mount(mount.c:68): EncFS Password:
pam_mount(mount.c:68): fuse: failed to exec fusermount: Permission denied
fusermount permission:
-rwsr-xr-- 1 root fuse 23448 2009-07-04 05:39 /usr/bin/fusermount
workaround:
sudo chmod o+x /usr/bin/fusermount
versions:
Debian GNU/Linux squeeze
libpam-mount 1.32-2
encfs 1.5.2-1+b1
fuse-utils 2.7.4-2
libfuse2 2.7.4-2
pam_mount does not change the groups, that may explain what you observe.
This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 14 days (the time period specified by
the administrator of this Tracker).
Patch added v2.1-8-g93bc8be; will show up in v2.2.
v2.1-8-gf347756
Hi jengelh,
It seems that commit f3477563e02d58015db5e9834b3a2a9dd5008f25 (which fix this issue) break the use of pam_group to set the user's group.
I don't know right yet, but when you did the changes bellow, pam_group seems does not load the groups of the user and we get back the "Permission deneid for /dev/fuse" error...
--------------
diff pam_mount-2.1/src/spawn.c pam_mount-2.2/src/spawn.c
17a18
> #include <grp.h>
111a113,115
> #ifdef HAVE_INITGROUPS
> initgroups(real_user->pw_name, real_user->pw_gid);
> #endif
--------------
How to reproduce this error?
Using the same scenario as originally reported, instead of add 'test' user to 'fuse' group (adduser test fuse), you configure the PAM module pam_group.so to load 'fuse' group. Then, try to login again and you should get the "Permission deneid" error.
I'll try to understand better the error, but any help is very welcome! :)
Kind Regards, Italo.
I created a new item for that, SF #3139147 http://sf.net/support/tracker.php?aid=3139147