Hello Andreas,
Am 02.02.2022 um 15:22 schrieb Andreas Hasenack:
For this to work, two conditions need to be met:
a) the gluster provided /usr/bin/fusermount-glusterfs binary must be
built and used (the fuse provided one is ignored)
b) it must be installed SUID root, just like fuse's /usr/bin/fusermount
If a privileged user is doing the mount, then gluster uses a direct
mount and fusermount-glusterfs is not used.
Can we then perhaps disable gluster's fusermount, and use the one
provided by fuse (/usr/bin/fusermount), which is installed suid root
already? No. gluster will not even attempt to use the fuse fusermount
command. This then goes down to technical differences between fuse's
and gluster's fusermount, some of which are explained in
https://github.com/gluster/glusterfs/discussions/2212
The Debian and Ubuntu packaging, as is, do not allow unprivileged
mounts, because they ship /usr/bin/fusermount-glusterfs without the
SUID root bit set. It might have been a conscious decision, letting
the sysadmin decide if they want to enable that bit or not, and keep
it during upgrades. Or it's a bug. In any case, they way it is
shipped, we could be using --disable-fusermount and would see no
difference in behavior.
I cant say how it was in the long long gone past, but it is not a wanted
or documented behaviour nor I didn't know of that.
Furthermore, I'll file one or two debian bugs to at least have the
discussion started on these respective issues:
a) remove fuse build-depends and Depends, since they are not needed
b) either disable fusermount-glusterfs, or install it suid root, or
leave it as is, but document that for it to work the admin needs to
chmod u+s that binary and use dpkg-statoverride to not lose that
during upgrades.
What would be your favorite for b)?
```
This is the upstream bug I filed to have glusterfs use the system
installed fuse: https://github.com/gluster/glusterfs/issues/3145
It would be helpful if you could double check my findings, and then
maybe we could drop the fuse build-depends and depends? Unless I
overlooked something.
Looks fine and I think you are more in this topic than myself now :D
Cheers!
