首頁 » fuse

fuse - bindfs

由 datahunter 在 一, 13/08/2012 - 18:13 發表

最後更新: 2022-08-18

介紹

running in user-space (fuse)

similarly to "mount --bind"

The permissions, owner inside the mountpoint can be altered using various rules.

Homepage: http://bindfs.org

目錄

Doc

man bindfs

 

安裝

 

apt-get install bindfs     # U14

yum install bindfs         # C6(epel), C7(epel), R8(epel)

 

Compile from source

 

yum -y install fuse-devel fuse

cd /usr/src/

wget http://bindfs.org/downloads/bindfs-1.13.3.tar.gz

tar -zxf bindfs-1.13.3.tar.gz

cd bindfs-1.13.3

./configure --prefix=/opt

make; make install

 

Usage

 

bindfs -V                              # Debian 10

bindfs 1.13.3

Syntax

bindfs [options] dir mountpoint

i.e.

bindfs /root/tmp /home/root-tmp

checking

ps x | grep bindfs

  PID TTY      STAT   TIME COMMAND
  468 ?        Ss     0:00 bindfs /root/tmp /home/root-tmp

mount | grep fuse

fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
/root/tmp on /home/root-tmp type fuse
  (rw,nosuid,nodev,relatime,user_id=0,group_id=0,default_permissions,allow_other)

default_permissions(Default)

This option enables permission checking, restricting access based on file mode.

* By default FUSE doesn't check file access permissions

allow_other(Default)

此 ACL 會跟 "default_permissions"

# 如果想只有行 bindfs 的人才可以 access 到 (Does not add -o allow_other to FUSE options)

--no-allow-other

ie. 跳過沒 "x" 的上一層

# 相當於 "mount --bind /root/tmp /home/root-tmp"

bindfs /root/tmp /home/root-tmp

ls -ld /root /root/tmp /home/root-tmp

drwxr-xr-x 2 root root 4096 Aug 31 12:59 /home/root-tmp
drwxr-x--- 7 root root 4096 Aug 31 12:57 /root
drwxr-xr-x 2 root root 4096 Aug 31 12:59 /root/tmp

[root@vps ~]# echo test > /root/tmp/test.txt

Test with other user (su tim -s /bin/bash)

[tim@vps ~]$ cat /root/tmp/test.txt                             # 很正常, 因為它是 "750"

cat: /root/tmp/test.txt: Permission denied

[tim@vps ~]$ cat /home/root-tmp/test.txt                    # test

Opts

  • chown/chgrp/chmod policy
  • Owner
  • Permission
  • File creation policy
  • Rate limits

 

chown/chgrp/chmod policy

 

Deny - fail with 'permission denied'

--chown-deny

--chgrp-deny

--chmod-deny

Ignore -  cmd 看似成功, 但什麼都無發生過

--chown-ignore

--chgrp-ignore

--chmod-ignore

 

Owner policy

 

force-X

-u | --force-user username            # Makes all files owned by the specified user. "chown" 將用唔到

-g | --force-group groupname        # Makes all files owned by the specified group. "chgrp" 將用唔到

mirror

-m, --mirror=user1,user2

list of users who will see themselves as the owners of all files.

e.g.

user1 對 mount point 有 full access, 當他 create file 時 owner 會係 user1

su user1                               # 要 su 後 ls 才看到"假" owner

-M, --mirror-only=users

Like "--mirror" but disallows access for all other users(except root).

Example:

mirror=user1:user2:user3

 

Permission

 

-p ..., --perms=...                    # perms=a-w    (for existing files, 另有 --create-with-perms)

                                              # e.g. og-x,og+rD,u=rwX,g+rw  or  0644,a+X

                                              # "D" (right hand side) Works like X but applies only to directories

                                              # ‘d’ and ‘f’ (left hand side) => only apply to directories (d) or files (f)

-r, -o ro                                  # read-only.  This even prevents root from writing to it

 

Example

# Map folder RO

/var/www/clients/web /home/sftp/web_ro fuse.bindfs perms=ugo-w,perms=ugo+rD,chown-deny,chgrp-deny,ro 0 0

Checking

find . -type f ! -perm -o=r

find . -type d ! -perm -o=rx

 

File creation policy: (root cmd)

 

--create-as-user              # New files owned by creator (default for root)

--create-as-mounter        # 新 file 的 owner 會係行 bindfs 的人

 

--create-for-user=...        # New files owned by specified user

--create-for-group=...      # New files owned by specified group

--create-with-perms=...   # Alter permissions of new files

 

Rate limits

 

--read-rate=...           # Limit to bytes/sec that can be read.

--write-rate=...           # Limit to bytes/sec that can be written.

 

/etc/fstab

 

# bindfs
/home/bob/shared  /var/www/shared/bob     fuse.bindfs  perms=0000:u+rD                   0 0

# bindfs
/backup           /home/getbackup/backup  fuse.bindfs  ro,group=getbackup,perms=g+rD     0 0

':'  separate arguments of perms

 

Usage Example

 

i.e. User tim 可以管理 website 內某 share folder

bindfs --chown-deny --chgrp-deny \
      --force-user tim --create-for-user=datahunter \
     /home/vhosts/datahunter.org/public_html/share \
     /home/vhosts/datahunter.org/ftp/tim/share

 * tim 將會看到 tim/share 內的所以檔案/資料夾的 owner 是他 (實質上是 datahunter 的)

 * tim 建立的東西的真實 owner 是 datahunter, 但看上去仍是自己

 

 

»

Creative Commons license icon Creative Commons license icon