1

I am trying to use unionfs to create multiple (100+) instances of a few development tools for our development server. Here is the script I am using:

PROJECT=$1
DEPLOYMENT=$2
TOOL=$3

DIR_TOOL="/var/www/tools/${TOOL}"
DIR_CONFIG="/var/www/tools-instances/${PROJECT}/${DEPLOYMENT}/${TOOL}/config"
DIR_TMP="/var/www/tools-instances/${PROJECT}/${DEPLOYMENT}/${TOOL}/tmp"
DIR_MERGED="/var/www/tools-instances/${PROJECT}/${DEPLOYMENT}/${TOOL}/merged"


mkdir -p "${DIR_CONFIG}"
mkdir -p "${DIR_TMP}"
mkdir -p "${DIR_MERGED}"


unionfs -o cow "${DIR_TMP}"=RW:"${DIR_CONFIG}"=RO:"${DIR_TOOL}"=RO "${DIR_MERGED}"

And then use it like this:

create-tool-overlay.sh "project-1" "staging" "phpmyadmin"

Everything works fine but only for our manager user. If I try to access the folder as any other user including www-data (who needs this access) and root (who should have access to everything) I get permission denied. And if I try to run ls on this folder I get this weird output:

root@app-1:/var/www/tools-instances/project-1/staging/phpmyadmin# ls -al
ls: cannot access 'merged': Permission denied
total 32
drwxrwxr-x+ 5 manager manager 4096 Dec 16 15:51 .
drwxrwxr-x+ 3 manager manager 4096 Dec 14 15:29 ..
drwxrwxr-x+ 2 manager manager 4096 Dec 14 15:29 config
d?????????? ? ?       ?          ?            ? merged
drwxrwxr-x+ 2 manager manager 4096 Dec 16 15:51 tmp
Kamil Maciorowski
  • 81,893
HubertNNN
  • 443

1 Answers1

3

The unionfs executable you used created a filesystem in userspace (FUSE). The process managing the filesystem runs under a specific user (in your case: manager) and other users have no access. Giving access to other users is less secure. Read about security concerns.

You can lower the security. See man 8 fuse. The option allow_root will allow root to use the filesystem. The option allow_other will allow anyone to use the filesystem. These options are mutually exclusive, it seems you want the latter. Note you need to place user_allow_other in /etc/fuse.conf in order to use allow_other as a regular user. This is the relevant comment from the default fuse.conf in my Kubuntu [formatting mine]:

user_allow_other - Using the allow_other mount option works fine as root, in order to have it work as user you need user_allow_other in /etc/fuse.conf as well. (This option allows users to use the allow_other option.) You need allow_other if you want users other than the owner to access a mounted fuse. This option must appear on a line by itself. There is no value, just the presence of the option.

You pass allow_other as (a part of) an option-argument to -o while invoking unionfs. In your case it will be like:

unionfs -o cow,allow_other …

Note if the filesystem runs under a specific regular user then it will only be able to do (to the underlying storage) what this user can do. E.g. if you run unionfs as manager and allow_other allows www-data to use the filesystem, then any file created by www-data will still belong to manager anyway. Other limitations will possibly manifest themselves.

Running the filesystem under root can help, but see the already linked answer. Running under root is not advised.

In general FUSE is designed as a generic way for users without root access to mount and use filesystems for themselves, without bothering actual admins. To use a filesystem with other users, the right way is to have support from the kernel and from an admin who can mount.

AFAIK it's possible to have UnionFS as a kernel module (not FUSE), but it's not in the mainline kernel, you need to build it by yourself. If I understand correctly, UnionFS implemented in the kernel should behave like you expected.

In my Kubuntu I can use OverlayFS (which is one of alternatives) already present as a kernel module (not FUSE).

Kamil Maciorowski
  • 81,893