[GH-ISSUE #107] chroot catch-22 #65

New issue

Closed

opened 2026-03-04 01:41:43 +03:00 by kerem · 3 comments

kerem commented

2026-03-04 01:41:43 +03:00

Owner

Originally created by @ProbablyRusty on GitHub (Jan 21, 2015).
Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/107

I am trying to implement a chroot jail backed by s3fs.

But, chroot requires that the parent directory be owned by root:root and not world writable.

If I use -o allow_other, then the permissions on the s3fs mnt directory is root:root 777.

If I don't use -o allow_other then the permissions on the s3fs mnt directory is root:root 700.

What I actually need in order to make chroot not reject the path is root:root 775.

Manually trying to chmod on the s3fs mnt directory doesn't work either:

# chmod 775 /s3fsmnt
chmod: changing permissions of ‘.’: Input/output error

Any way to do this?

Originally created by @ProbablyRusty on GitHub (Jan 21, 2015). Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/107 I am trying to implement a chroot jail backed by s3fs. But, chroot requires that the parent directory be owned by root:root and not world writable. If I use `-o allow_other`, then the permissions on the s3fs mnt directory is root:root 777. If I don't use `-o allow_other` then the permissions on the s3fs mnt directory is root:root 700. What I actually need in order to make chroot not reject the path is root:root 775. Manually trying to chmod on the s3fs mnt directory doesn't work either: ``` # chmod 775 /s3fsmnt chmod: changing permissions of ‘.’: Input/output error ``` Any way to do this?

kerem closed this issue

2026-03-04 01:41:43 +03:00

kerem commented

2026-03-04 01:41:44 +03:00

Author

Owner

@ProbablyRusty commented on GitHub (Jan 21, 2015):

I patched line 3386 of s3fs.cpp from:

 mp_mode = S_IFDIR | (allow_other ? (S_IRWXU | S_IRWXG | S_IRWXO) : S_IRWXU);

to:

mp_mode = S_IFDIR | (allow_other ? (S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) : S_IRWXU);

...and I believe it is working fine. Perhaps this could be added as an option?

@ProbablyRusty commented on GitHub (Jan 21, 2015): I patched line 3386 of s3fs.cpp from: ``` mp_mode = S_IFDIR | (allow_other ? (S_IRWXU | S_IRWXG | S_IRWXO) : S_IRWXU); ``` to: ``` mp_mode = S_IFDIR | (allow_other ? (S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) : S_IRWXU); ``` ...and I believe it is working fine. Perhaps this could be added as an option?

kerem commented

2026-03-04 01:41:44 +03:00

Author

Owner

@ggtakec commented on GitHub (Feb 7, 2015):

Hi, consultantRR

Thanks for pull request.
After I see your code(idea), but I think that we should make new option like unmask for only mount point.
So that, s3fs can set any mode for mount point directory.

Then I'm going to update codes as soon as possible by your source code to reference.

Thanks in advance for your help.

@ggtakec commented on GitHub (Feb 7, 2015): Hi, consultantRR Thanks for pull request. After I see your code(idea), but I think that we should make new option like unmask for only mount point. So that, s3fs can set any mode for mount point directory. Then I'm going to update codes as soon as possible by your source code to reference. Thanks in advance for your help.

kerem commented

2026-03-04 01:41:44 +03:00

Author

Owner

@ggtakec commented on GitHub (Feb 7, 2015):

I merged #119.
It is added mp_umask option like umask, for mount point permission.
Thanks very much.
Regards,

@ggtakec commented on GitHub (Feb 7, 2015): I merged #119. It is added mp_umask option like umask, for mount point permission. Thanks very much. Regards,