How to automount SSHFS shares for a user upon login?
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
My question is how to mount SSHFS shares as the user (not root) upon demand or upon user login using only tools that are in my distro's core repos. I'm using Arch. I don't mind writing a small script, if required. I would also like the same shares unmounted after the user logs out.
Background: I have checked other similar questions and did not find a suitable answer. Examples:
This answer recommends afuse, which is apparently defunct now. (It's website is offline, and I don't find afuse in the Arch repos.)
This one also recommends afuse.
Furthermore, the automounting section of the SSHFS Arch Wiki has some issues. It is marked as out of date. And it uses a method that mounts the SSHFS shares as root, which then requires the use of the allow_other
mount option. But that combination exposes the following bug:
If you intend to use the allow_other mount options, be aware that FUSE
has an unresolved security
bug: if the
default_permissions mount option is not used, the results of the first
permission check performed by the file system for a directory entry
will be re-used for subsequent accesses as long as the inode of the
accessed entry is present in the kernel cache - even if the
permissions have since changed, and even if the subsequent access is
made by a different user. This is of little concern if the filesystem
is accessible only to the mounting user (which has full access to the
filesystem anyway), but becomes a security issue when other users are
allowed to access the filesystem (since they can exploit this to
perform operations on the filesystem that they do not actually have
permissions for).
A work-around for that bug is to use default_permissions with allow_other, but default_permissions doesn't support ACL's (and this combination may also lead to other permissions-related issues in my experience).
More details:
I wish to have the mounts performed by the regular user (when the user logs in or on demand) without using either default_permissions or allow_other. (Preliminary testing indicates that this method results in the permissions working as expected.) UPDATE: No, I was wrong. Permissions remain problematic when the directory is owned by another user and group permissions are used to grant access. In that case access is improperly denied. I think the correct answer may be: DO NOT USE SSHFS in situations like mine.
I also do not want to use any marginal packages or even packages from the AUR.
I have seen a suggestion that pam_exec.so
might be a solution, but I have not seen any detailed examples of how this would be configured for automounting shares for each user. Also, if I use this method, I would like to unmount the same shares when the user logs out.
Another option may be AutoFS. However, once again the Arch Wiki for this topic uses an example that requires root. It even has "As root" in bold. (The wiki page also has an open dispute on that issue. I would prefer a non-ambiguous or authoritative answer regarding how to do this.)
I don't want the solution limited to GUI login. Any automounting (at login or on demand) should be effective in the DE, a virtual console or (hopefully) even an SSH login.
pam automounting sshfs autofs
add a comment |Â
up vote
1
down vote
favorite
My question is how to mount SSHFS shares as the user (not root) upon demand or upon user login using only tools that are in my distro's core repos. I'm using Arch. I don't mind writing a small script, if required. I would also like the same shares unmounted after the user logs out.
Background: I have checked other similar questions and did not find a suitable answer. Examples:
This answer recommends afuse, which is apparently defunct now. (It's website is offline, and I don't find afuse in the Arch repos.)
This one also recommends afuse.
Furthermore, the automounting section of the SSHFS Arch Wiki has some issues. It is marked as out of date. And it uses a method that mounts the SSHFS shares as root, which then requires the use of the allow_other
mount option. But that combination exposes the following bug:
If you intend to use the allow_other mount options, be aware that FUSE
has an unresolved security
bug: if the
default_permissions mount option is not used, the results of the first
permission check performed by the file system for a directory entry
will be re-used for subsequent accesses as long as the inode of the
accessed entry is present in the kernel cache - even if the
permissions have since changed, and even if the subsequent access is
made by a different user. This is of little concern if the filesystem
is accessible only to the mounting user (which has full access to the
filesystem anyway), but becomes a security issue when other users are
allowed to access the filesystem (since they can exploit this to
perform operations on the filesystem that they do not actually have
permissions for).
A work-around for that bug is to use default_permissions with allow_other, but default_permissions doesn't support ACL's (and this combination may also lead to other permissions-related issues in my experience).
More details:
I wish to have the mounts performed by the regular user (when the user logs in or on demand) without using either default_permissions or allow_other. (Preliminary testing indicates that this method results in the permissions working as expected.) UPDATE: No, I was wrong. Permissions remain problematic when the directory is owned by another user and group permissions are used to grant access. In that case access is improperly denied. I think the correct answer may be: DO NOT USE SSHFS in situations like mine.
I also do not want to use any marginal packages or even packages from the AUR.
I have seen a suggestion that pam_exec.so
might be a solution, but I have not seen any detailed examples of how this would be configured for automounting shares for each user. Also, if I use this method, I would like to unmount the same shares when the user logs out.
Another option may be AutoFS. However, once again the Arch Wiki for this topic uses an example that requires root. It even has "As root" in bold. (The wiki page also has an open dispute on that issue. I would prefer a non-ambiguous or authoritative answer regarding how to do this.)
I don't want the solution limited to GUI login. Any automounting (at login or on demand) should be effective in the DE, a virtual console or (hopefully) even an SSH login.
pam automounting sshfs autofs
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
My question is how to mount SSHFS shares as the user (not root) upon demand or upon user login using only tools that are in my distro's core repos. I'm using Arch. I don't mind writing a small script, if required. I would also like the same shares unmounted after the user logs out.
Background: I have checked other similar questions and did not find a suitable answer. Examples:
This answer recommends afuse, which is apparently defunct now. (It's website is offline, and I don't find afuse in the Arch repos.)
This one also recommends afuse.
Furthermore, the automounting section of the SSHFS Arch Wiki has some issues. It is marked as out of date. And it uses a method that mounts the SSHFS shares as root, which then requires the use of the allow_other
mount option. But that combination exposes the following bug:
If you intend to use the allow_other mount options, be aware that FUSE
has an unresolved security
bug: if the
default_permissions mount option is not used, the results of the first
permission check performed by the file system for a directory entry
will be re-used for subsequent accesses as long as the inode of the
accessed entry is present in the kernel cache - even if the
permissions have since changed, and even if the subsequent access is
made by a different user. This is of little concern if the filesystem
is accessible only to the mounting user (which has full access to the
filesystem anyway), but becomes a security issue when other users are
allowed to access the filesystem (since they can exploit this to
perform operations on the filesystem that they do not actually have
permissions for).
A work-around for that bug is to use default_permissions with allow_other, but default_permissions doesn't support ACL's (and this combination may also lead to other permissions-related issues in my experience).
More details:
I wish to have the mounts performed by the regular user (when the user logs in or on demand) without using either default_permissions or allow_other. (Preliminary testing indicates that this method results in the permissions working as expected.) UPDATE: No, I was wrong. Permissions remain problematic when the directory is owned by another user and group permissions are used to grant access. In that case access is improperly denied. I think the correct answer may be: DO NOT USE SSHFS in situations like mine.
I also do not want to use any marginal packages or even packages from the AUR.
I have seen a suggestion that pam_exec.so
might be a solution, but I have not seen any detailed examples of how this would be configured for automounting shares for each user. Also, if I use this method, I would like to unmount the same shares when the user logs out.
Another option may be AutoFS. However, once again the Arch Wiki for this topic uses an example that requires root. It even has "As root" in bold. (The wiki page also has an open dispute on that issue. I would prefer a non-ambiguous or authoritative answer regarding how to do this.)
I don't want the solution limited to GUI login. Any automounting (at login or on demand) should be effective in the DE, a virtual console or (hopefully) even an SSH login.
pam automounting sshfs autofs
My question is how to mount SSHFS shares as the user (not root) upon demand or upon user login using only tools that are in my distro's core repos. I'm using Arch. I don't mind writing a small script, if required. I would also like the same shares unmounted after the user logs out.
Background: I have checked other similar questions and did not find a suitable answer. Examples:
This answer recommends afuse, which is apparently defunct now. (It's website is offline, and I don't find afuse in the Arch repos.)
This one also recommends afuse.
Furthermore, the automounting section of the SSHFS Arch Wiki has some issues. It is marked as out of date. And it uses a method that mounts the SSHFS shares as root, which then requires the use of the allow_other
mount option. But that combination exposes the following bug:
If you intend to use the allow_other mount options, be aware that FUSE
has an unresolved security
bug: if the
default_permissions mount option is not used, the results of the first
permission check performed by the file system for a directory entry
will be re-used for subsequent accesses as long as the inode of the
accessed entry is present in the kernel cache - even if the
permissions have since changed, and even if the subsequent access is
made by a different user. This is of little concern if the filesystem
is accessible only to the mounting user (which has full access to the
filesystem anyway), but becomes a security issue when other users are
allowed to access the filesystem (since they can exploit this to
perform operations on the filesystem that they do not actually have
permissions for).
A work-around for that bug is to use default_permissions with allow_other, but default_permissions doesn't support ACL's (and this combination may also lead to other permissions-related issues in my experience).
More details:
I wish to have the mounts performed by the regular user (when the user logs in or on demand) without using either default_permissions or allow_other. (Preliminary testing indicates that this method results in the permissions working as expected.) UPDATE: No, I was wrong. Permissions remain problematic when the directory is owned by another user and group permissions are used to grant access. In that case access is improperly denied. I think the correct answer may be: DO NOT USE SSHFS in situations like mine.
I also do not want to use any marginal packages or even packages from the AUR.
I have seen a suggestion that pam_exec.so
might be a solution, but I have not seen any detailed examples of how this would be configured for automounting shares for each user. Also, if I use this method, I would like to unmount the same shares when the user logs out.
Another option may be AutoFS. However, once again the Arch Wiki for this topic uses an example that requires root. It even has "As root" in bold. (The wiki page also has an open dispute on that issue. I would prefer a non-ambiguous or authoritative answer regarding how to do this.)
I don't want the solution limited to GUI login. Any automounting (at login or on demand) should be effective in the DE, a virtual console or (hopefully) even an SSH login.
pam automounting sshfs autofs
edited Feb 16 at 23:14
jasonwryan
46.7k14127175
46.7k14127175
asked Feb 16 at 6:55
MountainX
4,4342367116
4,4342367116
add a comment |Â
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f424541%2fhow-to-automount-sshfs-shares-for-a-user-upon-login%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password