Hello !
Getting a bit annoyed with permission issues with samba and sshfs. If someone could give me some input on how to find an other more elegant and secure way to share a folder path owned by root, I would really appreciate it !
Context
- The following folder path is owned by root (docker volume):
/var/lib/docker/volumes/syncthing_data/
_data/folder
- The child folders are owned by the user server
/var/lib/docker/volumes/syncthing_data/_data/folder
- The user server is in the
sudoers
file - Server is in the docker groupe
fuse.conf
has theuser_allow_other
uncommented
Mount point with sshfs
sudo sshfs server@10.0.0.100:/var/lib/docker/volumes/syncthing_data/_data/folder /home/user/folder -o allow_other
Permission denied
Things I tried
- Adding other options like
gid 0,27,1000
uid 0,27,1000
default_permissions
… - Finding my way through stackoverflow, unix.stackexchange…
Solution I found
- Making a bind mount from the root owned path to a new path owned by server
sudo mount --bind /var/lib/docker/volumes/syncthing_data/_data/folder /home/server/folder
- Mount point with sshfs
sshfs server@10.0.0.100:/home/server/folder /home/user/folder
Question
While the above solution works, It overcomplicates my setup and adds an unecessary mount point to my laptop and fstab.
Isn’t there a more elegant solution to work directly with the user server (which has root access) to mount the folder with sshfs directly even if the folder path is owned by root?
I mean the user has root access so something like:
sshfs server@10.0.0.100:/home/server/folder /home/user/folder -o allow_other
should work even if the first part of the path is owned by root.
Changing owner/permission of the path recursively is out of question !
Thank you for your insights !
In that case, perhaps replacing
-o sftp_server="/usr/bin/sudo /usr/lib/openssh/sftp-server"
with-o sftp_server="/usr/bin/sudo -u <syncthing_user> /usr/lib/openssh/sftp-server"
is a good compromise?Hey thank you for the nice tip ! This looks actually promising and exactly what I needed !
Going with this route, which seems way more secure. Fiddling with sudoers permissions seems a bad idea in the first place !
Thank you very much 👋
Yes, the permissions of <syncthing_user> should be sufficient. I was not aware, that OP might not really need root access.