starred/s3fs-fuse
1
0
Fork 0
mirror of https://github.com/s3fs-fuse/s3fs-fuse.git synced 2026-04-25 13:26:00 +03:00
Code Issues 305 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #1376] s3fs trying to enable sftp access only for single user using user/pass getting but Permission denied #734

New issue
Open
opened 2026-03-04 01:48:18 +03:00 by kerem · 0 comments
kerem commented 2026-03-04 01:48:18 +03:00
Owner
Copy link

Originally created by @meiry on GitHub (Aug 21, 2020).
Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/1376

Additional Information

The following information is very important in order to help us to help you. Omission of the following details may delay your support request or receive no attention at all.
Keep in mind that the commands we provide to retrieve information are oriented to GNU/Linux Distributions, so you could need to use others if you use s3fs on macOS or BSD

Version of s3fs being used (s3fs --version)

Amazon Simple Storage Service File System V1.87 (commit:c6e2321) with OpenSSL

Version of fuse being used (pkg-config --modversion fuse, rpm -qi fuse, dpkg -s fuse)

2.9.2

Kernel information (uname -r)

amzn2.x86_64

GNU/Linux Distribution, if applicable (cat /etc/os-release)

NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"

Details about issue

i try to map s3 to sftp for a single user only, that means only 1 user with the password could sftp to the mounted dir.

this is what i configured :
created new cool_user group with cool_user user that is in cool_user group

groups cool_user
cool_user : cool_user

cat /etc/passwd
cool_user:x:1002:1003::/mnt/home/cool_user:/bin/bash

cat /etc/group
cool_user:x:1003:

/etc/ssh/sshd_config

    Subsystem sftp internal-sftp -l VERBOSE
    
    Match user cool_user
    #Match Group cool_user,!ec2-user
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no
    PasswordAuthentication yes 

s3fs command i used : 
    sudo s3fs my_aws3_bucket /mnt/home/cool_user -o uid=1002,gid=1003,mp_umask=002

i can see the files s3 files in the directory :

    cd  /mnt/home 
    sudo ls -l
    total 1
    drwx------ 1 cool_user cool_user 0 Jan  1  1970 cool_user
    
    udo ls -l cool_user/
    total 2
    drwxr-x--- 1 cool_user cool_user 0 Jan  1  1970 temp
    drwxr-x--- 1 cool_user cool_user 0 Jan  1  1970 project1
    drwxr-x--- 1 cool_user cool_user 0 Jan  1  1970 my_file_s3

checked if mount and its there mnt/home/cool_user:

    sudo df
    Filesystem        1K-blocks    Used    Available Use% Mounted on
    devtmpfs            8099640       0      8099640   0% /dev
    tmpfs               8117580       0      8117580   0% /dev/shm
    tmpfs               8117580     480      8117100   1% /run
    s3fs           274877906944       0 274877906944   0% /mnt/home/cool_user

but when i try to login from sftp client I can see in the:
sudo tail -F /var/log/secure
getting the error:
fatal: safely_chroot: stat("/mnt/home/cool_user"): Permission denied [postauth]

    Aug 20 13:38:45 ip-xx-xx-xx-xx sshd[18371]: Received signal 15; terminating.
    Aug 20 13:38:45 ip-xx-xx-xx-xx sshd[18400]: Server listening on 0.0.0.0 port 22.
    Aug 20 13:38:45 ip-xx-xx-xx-xx sshd[18400]: Server listening on :: port 22.
    Aug 20 13:38:45 ip-xx-xx-xx-xx sudo: pam_unix(sudo:session): session closed for user root
    Aug 20 13:38:51 ip-xx-xx-xx-xx sshd[18402]: Accepted password for cool_user from xx-xx-yy-yy port 40466 ssh2
    Aug 20 13:38:51 ip-xx-xx-xx-xx sshd[18402]: pam_unix(sshd:session): session opened for user cool_user by (uid=0)
    Aug 20 13:38:51 ip-xx-xx-xx-xx sshd[18402]: fatal: safely_chroot: stat("/mnt/home/cool_user"): Permission denied [postauth]
    Aug 20 13:38:51 ip-xx-xx-xx-xx sshd[18402]: pam_unix(sshd:session): session closed for user cool_user
    Aug 20 13:38:57 ip-xx-xx-xx-xx sshd[18408]: Accepted password for cool_user from xx-xx-yy-yy port 11542 ssh2
    Aug 20 13:38:57 ip-xx-xx-xx-xx sshd[18408]: pam_unix(sshd:session): session opened for user cool_user by (uid=0)
    Aug 20 13:38:57 ip-xx-xx-xx-xx sshd[18408]: fatal: safely_chroot: stat("/mnt/home/cool_user"): Permission denied [postauth]
    Aug 20 13:38:57 ip-xx-xx-xx-xx sshd[18408]: pam_unix(sshd:session): session closed for user cool_user
    Aug 20 13:41:28 ip-xx-xx-xx-xx sudo: ec2-user : TTY=pts/2 ; PWD=/mnt ; USER=root ; COMMAND=/bin/vi /etc/ssh/sshd_config
    Aug 20 13:41:28 ip-xx-xx-xx-xx sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
    Aug 20 13:42:41 ip-xx-xx-xx-xx sudo: pam_unix(sudo:session): session closed for user root
    Aug 20 13:42:51 ip-xx-xx-xx-xx sudo: ec2-user : TTY=pts/2 ; PWD=/mnt ; USER=root ; COMMAND=/bin/df
    Aug 20 13:42:51 ip-xx-xx-xx-xx sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
    Aug 20 13:42:51 ip-xx-xx-xx-xx sudo: pam_unix(sudo:session): session closed for user root
    Aug 20 13:43:28 ip-xx-xx-xx-xx sudo: ec2-user : TTY=pts/2 ; PWD=/mnt/home ; USER=root ; COMMAND=/bin/ls -l
Originally created by @meiry on GitHub (Aug 21, 2020). Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/1376 ### Additional Information _The following information is very important in order to help us to help you. Omission of the following details may delay your support request or receive no attention at all._ _Keep in mind that the commands we provide to retrieve information are oriented to GNU/Linux Distributions, so you could need to use others if you use s3fs on macOS or BSD_ #### Version of s3fs being used (s3fs --version) Amazon Simple Storage Service File System V1.87 (commit:c6e2321) with OpenSSL #### Version of fuse being used (pkg-config --modversion fuse, rpm -qi fuse, dpkg -s fuse) 2.9.2 #### Kernel information (uname -r) amzn2.x86_64 #### GNU/Linux Distribution, if applicable (cat /etc/os-release) NAME="Amazon Linux" VERSION="2" ID="amzn" ID_LIKE="centos rhel fedora" VERSION_ID="2" PRETTY_NAME="Amazon Linux 2" ANSI_COLOR="0;33" CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2" HOME_URL="https://amazonlinux.com/" ### Details about issue i try to map s3 to sftp for a single user only, that means only 1 user with the password could sftp to the mounted dir. this is what i configured : created new cool_user group with cool_user user that is in cool_user group groups cool_user cool_user : cool_user cat /etc/passwd cool_user:x:1002:1003::/mnt/home/cool_user:/bin/bash cat /etc/group cool_user:x:1003: /etc/ssh/sshd_config ``` Subsystem sftp internal-sftp -l VERBOSE Match user cool_user #Match Group cool_user,!ec2-user ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no PasswordAuthentication yes ``` ``` s3fs command i used : sudo s3fs my_aws3_bucket /mnt/home/cool_user -o uid=1002,gid=1003,mp_umask=002 ``` i can see the files s3 files in the directory : ``` cd /mnt/home sudo ls -l total 1 drwx------ 1 cool_user cool_user 0 Jan 1 1970 cool_user udo ls -l cool_user/ total 2 drwxr-x--- 1 cool_user cool_user 0 Jan 1 1970 temp drwxr-x--- 1 cool_user cool_user 0 Jan 1 1970 project1 drwxr-x--- 1 cool_user cool_user 0 Jan 1 1970 my_file_s3 ``` checked if mount and its there mnt/home/cool_user: ``` sudo df Filesystem 1K-blocks Used Available Use% Mounted on devtmpfs 8099640 0 8099640 0% /dev tmpfs 8117580 0 8117580 0% /dev/shm tmpfs 8117580 480 8117100 1% /run s3fs 274877906944 0 274877906944 0% /mnt/home/cool_user ``` but when i try to login from sftp client I can see in the: sudo tail -F /var/log/secure getting the error: fatal: safely_chroot: stat("/mnt/home/cool_user"): Permission denied [postauth] ``` Aug 20 13:38:45 ip-xx-xx-xx-xx sshd[18371]: Received signal 15; terminating. Aug 20 13:38:45 ip-xx-xx-xx-xx sshd[18400]: Server listening on 0.0.0.0 port 22. Aug 20 13:38:45 ip-xx-xx-xx-xx sshd[18400]: Server listening on :: port 22. Aug 20 13:38:45 ip-xx-xx-xx-xx sudo: pam_unix(sudo:session): session closed for user root Aug 20 13:38:51 ip-xx-xx-xx-xx sshd[18402]: Accepted password for cool_user from xx-xx-yy-yy port 40466 ssh2 Aug 20 13:38:51 ip-xx-xx-xx-xx sshd[18402]: pam_unix(sshd:session): session opened for user cool_user by (uid=0) Aug 20 13:38:51 ip-xx-xx-xx-xx sshd[18402]: fatal: safely_chroot: stat("/mnt/home/cool_user"): Permission denied [postauth] Aug 20 13:38:51 ip-xx-xx-xx-xx sshd[18402]: pam_unix(sshd:session): session closed for user cool_user Aug 20 13:38:57 ip-xx-xx-xx-xx sshd[18408]: Accepted password for cool_user from xx-xx-yy-yy port 11542 ssh2 Aug 20 13:38:57 ip-xx-xx-xx-xx sshd[18408]: pam_unix(sshd:session): session opened for user cool_user by (uid=0) Aug 20 13:38:57 ip-xx-xx-xx-xx sshd[18408]: fatal: safely_chroot: stat("/mnt/home/cool_user"): Permission denied [postauth] Aug 20 13:38:57 ip-xx-xx-xx-xx sshd[18408]: pam_unix(sshd:session): session closed for user cool_user Aug 20 13:41:28 ip-xx-xx-xx-xx sudo: ec2-user : TTY=pts/2 ; PWD=/mnt ; USER=root ; COMMAND=/bin/vi /etc/ssh/sshd_config Aug 20 13:41:28 ip-xx-xx-xx-xx sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Aug 20 13:42:41 ip-xx-xx-xx-xx sudo: pam_unix(sudo:session): session closed for user root Aug 20 13:42:51 ip-xx-xx-xx-xx sudo: ec2-user : TTY=pts/2 ; PWD=/mnt ; USER=root ; COMMAND=/bin/df Aug 20 13:42:51 ip-xx-xx-xx-xx sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Aug 20 13:42:51 ip-xx-xx-xx-xx sudo: pam_unix(sudo:session): session closed for user root Aug 20 13:43:28 ip-xx-xx-xx-xx sudo: ec2-user : TTY=pts/2 ; PWD=/mnt/home ; USER=root ; COMMAND=/bin/ls -l ```
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.97
v1.96
v1.95
v1.94
v1.93
v1.92
v1.91
v1.90
v1.89
v1.88
v1.87
v1.86
v1.85
v1.84
v1.83
v1.82
v1.81
v1.80
v1.79
v1.78
Pre-v1.78
v1.77
v1.76
v1.75
v1.74
Labels
Clear labels   
bug

   
bug

   
dataloss

   
duplicate

   
enhancement

   
feature request

   
help wanted

   
invalid

   
need info

   
performance

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
testing
No labels
bug
bug
dataloss
duplicate
enhancement
feature request
help wanted
invalid
need info
performance
pull-request
question
question
testing
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/s3fs-fuse#734
No description provided.