An important detail, about how to use ‘fusermount’, which I only learned recently.

It’s old wisdom under Linux, that system administrators do not allow just any user to mount file-systems. The reason is the fact that, with any sophisticated file-system, each file can have ‘root’ ownership, as well as having the ‘setuid’ flag set, which means that if a malicious user was next to execute a program with those bits set, he would have given himself root privileges.

The fact that with most Linux desktop managers, auto-mounting is handled in the background, by a daemon, only serves to verify this concern.

But ways exist to mount a file-system, so that all the files and directories within it, just arbitrarily have one current user as their owner. Only a regular user with access to the ‘mount’ command, cannot be trusted to use such options.

BUT, There exists a utility on modern Linux systems – if it’s installed – which is called ‘fusermount’. This is a command, for mounting file-systems in user-space. Its main purpose is, to give regular users the ability to mount a file-system, but only to have its files and directories belong to them – safely.

In the past, I had a hard time using this command, because every time I tried, I just got the error-message that I did not have permissions to do so, as a regular user. What I did at first, was to use ‘visudo’, in order to give myself the privilege to use ‘mount’ with ‘sudo’.

But as it turns out, there is a detail to using ‘fusermount’ properly, which I only learned about recently.

Under Debian / Jessie, we actually need to create a group called ‘fuse’, and include our users, who are supposed to be able to use ‘fusermount’, in this group, so that they’ll be able to do so, without requiring ‘sudo’.

This was actually a difficult detail for me to distinguish, because if the ‘fuse’ package gives special treatment to the group ‘fuse’, then what I’d expect is that to install this package, will also create this group. But NO. The system administrator actually needs to create the group himself, for everything to work properly.

Also, what people should note, is that every time they include an existing user into a new group, to give him or her new privileges, that user must also first log out and log back in, before those privileges go into effect.

But now that I know about this, I no longer need to have the ‘visudo’ options set, to allow my main user to ‘sudo’ the ‘mount’ command, and this actually makes my setup, on one of my computers, much safer, since to run ‘fusermount’ as user, is safer.

Dirk

 

Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>