You will need to see /dev/fuse and be able to write to it. You may copy the
file from the host, but have to make it so that it is owned by owner root and
group fuse inside the client (this is the standard set up SFAIK).
I order to get a fuse program working in a recent LTSP set up I also needed to
add to the ccapabilities that guest. I needed to add both SECURE_MOUNT and
BINARY_MOUNT.
Hello,
I tried the following:
/etc/vservers/devel/ccapabilities
SECURE_MOUNT
SECURE_REMOUNT
BINARY_MOUNT
Then I can use mount but not fuse, strace shows:
mount -t proc null ~/mnt:
mount("null", "/root/mnt", "proc", MS_MGC_VAL, NULL) = 0
mount --bind /home ~/mnt:
mount("/home", "/root/mnt", 0x40fde2, MS_MGC_VAL|MS_BIND, 0) = 0
but sshfs:
mount("[EMAIL PROTECTED]:/", "/root/mnt", "fuse",
MS_NOSUID|MS_NODEV,
"max_read=65536,fd=4,rootmode=4,user_id=0,group_id=0") = -1 EPERM
(Operation not permitted)
or with CompFused (compression fuse fs)
mount("fuse", "/root/mnt", "fuse", MS_NOSUID|MS_NODEV,
"fd=4,rootmode=4,user_id=0,group_id=0") = -1 EPERM (Operation not
permitted)
But if I give extra
/etc/vservers/devel/bcapabilities
SYS_ADMIN
then it works:
mount("fuse", "/root/mnt", "fuse", MS_NOSUID|MS_NODEV,
"fd=3,rootmode=4,user_id=0,group_id=0") = 0
So there is apparently some extra capability required by fuse but I
don't want to give plain CAP_SYS_ADMIN
Any idea?
Note that to strace mount() call into a libfuse fork, you can try sth like
_FUSE_COMMFD=1 strace -s256 /usr/bin/fusermount -o fsname=fuse -- /root/mnt
It's a broken fuse call as there is no unix socket associated but it's
enough to hit the mount() call.
Kernel: 2.6.17.14-grsec2.1.9-vs2.0.2.1
VS-API: 0x00020002
util-vserver: 0.30.212; Dec 9 2006, 20:37:54
Please don't tell me to try a very new kernel/patch "just to see" unless
you know something was indeed fixed, it's on a production vserver...
Phil
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
