Sshfs, Linux - How to Mount with Read-Only Access

sshfs, linux - how to mount with read-only access

just add one more option: sshfs user@123.123.123.123:/home/user /media/mountpoint/ -o allow_other -o ro .
this should help: http://ubuntuforums.org/showthread.php?t=975107

Mount with sshfs and write file permissions

The question was answered in a linux mailing list; I post a translated answer here for completeness.

Solution

The solution is to not use both of the options default_permissions and allow_other when mounting (which I didn't try in my original experiments).

Explanation

The problem seems to be quite simple. When you use the option default_permissions in fusermount then fuse's permission control of the fuse mount is handled by the kernel and not by fuse.

This means that the REMOTE_USER's uid/gid aren't mapped to the LOCAL_USER (sshfs.c IDMAP_NONE). It works the same way as a simple nfs fs without mapping.

So, it makes sense to prohibit the access, if the uid/gid numbers don't match.

If you have the option allow_other then this dir is writable only by the local user with uid 699, if it exists.

From fuse's man:

'default_permissions'

   By default FUSE doesn't check file access permissions, the
   filesystem is free to implement its access policy or leave it to
   the underlying file access mechanism (e.g. in case of network
   filesystems).  This option enables permission checking, restricting
   access based on file mode.  It is usually useful together with the
   'allow_other' mount option.

'allow_other'

   This option overrides the security measure restricting file access
   to the user mounting the filesystem.  This option is by default only
   allowed to root, but this restriction can be removed with a
   (userspace) configuration option.

Sshfs as regular user through fstab

Using option allow_other in /etc/fstab allows other users than the one doing the actual mounting to access the mounted filesystem. When you booting your system and mounting your sshfs, it's done by user root instead of your regular user. When you add allow_other other users than root can access to mount point. File permissions under the mount point still stay the same as they used to be, so if you have a directory with 0700 mask there, it's not accessible by anyone else but root and the owner.

So, instead of 

sshfs#user@remote.machine.net:/remote/dir /work     fuse      user,_netdev,reconnect,uid=1000,gid=1000,idmap=user  0   0

use

sshfs#user@remote.machine.net:/remote/dir /work     fuse      user,_netdev,reconnect,uid=1000,gid=1000,idmap=user,allow_other  0   0

This did the trick for me at least. I did not test this by booting the system, but instead just issued the mount command as root, then tried to access the mounted sshfs as a regular user.

Mounting a remote file system (sshfs) through an intermediate machine

You may use ssh to forward port 22 from machine3 to machine1 via machine2, like

user1@machine1:$ ssh -L 2222:machine3:22 user2@machine2

After that configure sshfs on machine1 to use localhost:2222 port (in the second terminal tab):

user1@machine1:$ sshfs user3@localhost:/some/machine3/dir /some/local/dir -p 2222

Raspberry ISO mount via sshfs fails

For me, this worked :

sudo bash
# Now in root
mkdir /tmp/iso
mount /home/pi/isomount/2005-2010.iso /tmp/iso

More details

~# cd /home/ubuntu/dev
/home/ubuntu/dev# df -k .
Filesystem             1K-blocks      Used Available Use% Mounted on
User@remotehost:dev 487213052 380126780 107086272  79% /home/ubuntu/dev <-- sshfs mounted
/home/ubuntu/dev# ls -l ubuntu-20.04.3-desktop-amd64.iso
-rwx------ 1 197609 197121 3071934464 Dec 28 10:44 ubuntu-20.04.3-desktop-amd64.iso
/home/ubuntu/dev# mount ubuntu-20.04.3-desktop-amd64.iso /tmp/iso
mount: /tmp/iso: WARNING: device write-protected, mounted read-only.
/home/ubuntu/dev# ls -ltr /tmp/iso
total 101
lr-xr-xr-x 1 root root     1 Aug 19 11:59 ubuntu -> .
dr-xr-xr-x 1 root root  2048 Aug 19 11:59 preseed
dr-xr-xr-x 1 root root  2048 Aug 19 11:59 pool
dr-xr-xr-x 1 root root  2048 Aug 19 11:59 dists
dr-xr-xr-x 1 root root  2048 Aug 19 12:01 install
dr-xr-xr-x 1 root root  2048 Aug 19 12:01 casper
dr-xr-xr-x 1 root root  2048 Aug 19 12:01 boot
dr-xr-xr-x 1 root root  2048 Aug 19 12:01 EFI
dr-xr-xr-x 1 root root 34816 Aug 19 12:01 isolinux
-r--r--r-- 1 root root 53487 Aug 19 12:03 md5sum.txt

My sshfs mount options in /etc/mtab :

User@remotehost:dev /home/ubuntu/dev fuse.sshfs rw,nosuid,nodev,relatime,user_id=1001,group_id=1001,allow_other 0 0

Emacs SSH - Enforce read-only

Third suggestion: Use sshfs to provide the remote filesystem locally, and mount it read-only, and then point Emacs at that.

That way you're not subject to all of the pitfalls of being able to run commands directly on the remote server as a user who has write-permissions.


Related Topics

Having Trouble Wrapping Functions in The Linux Kernel

Java.Lang.Noclassdeffounderror: Org/Codehaus/Plexus/Classworlds/Launcher/Launcher When Running Bash File to Build The Project

Update .Bashrc from Provisioning Shell Script with Vagrant

Git Clone Gnutls Recv Error (-9): a Tls Packet with Unexpected Length Was Received

Building Gcc with Glibc in a Non-Standard Location Without Root

What Is a Shell Command to Find The Longest Common Substring of Two Strings in Unix

How to Specify Which Kernel to Build with Bitbake/Yocto

Linux - Change The Hostname in The Cli

How to Read N-Th Line from a Text File in Bash

Setting The Umask of The Jenkins Process

Deploying C++ Game in Linux

Sshfs, Linux - How to Mount with Read-Only Access

Get Access to Usb Device on Linux (Libusb-1.0)

Listing Multicast Sockets

Check What Conda Environment Is Currently Activated

How The File Size Is Limited on a Specific File System

How to Add a Custom System Call on X86 Ubuntu Linux

Changing File Permissions Linux


Leave a reply



Submit