The Gluster Blog

Gluster blog stories provide high-level spotlights on our users all over the world

Mounting GlusterFS as an Unprivileged User

Gluster
2013-03-16

Somebody asked on Twitter whether it was possible, so I tried it. I was able to make it work, but only with some code changes and other very nasty hacks. For the record, here’s what I had to do.

  • Remove the explicit check in fuse_mount_fusermount that causes mounts to fail with “Mounting via helper utility (unprivileged mounting) is supported only if glusterfs is compiled with –enable-fusermount”. I could probably get the same effect by building my RPMs with that option, but I find the build-time requirement noxious. IMO this should be enabled (in the code) by default.
  • Make both fusermount and glusterfsd set-uid. This is a stunningly bad idea in general, but for experimentation it’s OK. Don’t do this unless you’re sure that only trusted users can run these programs, and have reconciled yourself to the idea that you now have set-uid programs that haven’t been through a security audit appropriate to that usage.
  • Mount using “glusterfs –volfile …” to use a local volfile instead of fetching one from glusterd. It looks like glusterd isn’t processing the rpc-auth-allow-insecure option properly; if not for that, mounting normally should work.
  • Have the untrusted user work only on files in a directory owned by that user. The brick directory is still owned by root and should probably remain that way, but you can create a per-user subdirectory.

In short, making this work for everyone would require both code/packaging changes and site changes that are questionable in terms of security. I’m not sure it would be wise to do this, but it is possible.

BLOG

  • 06 Dec 2020
    Looking back at 2020 – with g...

    2020 has not been a year we would have been able to predict. With a worldwide pandemic and lives thrown out of gear, as we head into 2021, we are thankful that our community and project continued to receive new developers, users and make small gains. For that and a...

    Read more
  • 27 Apr 2020
    Update from the team

    It has been a while since we provided an update to the Gluster community. Across the world various nations, states and localities have put together sets of guidelines around shelter-in-place and quarantine. We request our community members to stay safe, to care for their loved ones, to continue to be...

    Read more
  • 03 Feb 2020
    Building a longer term focus for Gl...

    The initial rounds of conversation around the planning of content for release 8 has helped the project identify one key thing – the need to stagger out features and enhancements over multiple releases. Thus, while release 8 is unlikely to be feature heavy as previous releases, it will be the...

    Read more