Hello !

Getting a bit annoyed with permission issues with samba and sshfs. If someone could give me some input on how to find an other more elegant and secure way to share a folder path owned by root, I would really appreciate it !

Context

  • The following folder path is owned by root (docker volume):

/var/lib/docker/volumes/syncthing_data/_data/folder

  • The child folders are owned by the user server

/var/lib/docker/volumes/syncthing_data/_data/folder

  • The user server is in the sudoers file
  • Server is in the docker groupe
  • fuse.confhas the user_allow_other uncommented

Mount point with sshfs

sudo sshfs server@10.0.0.100:/var/lib/docker/volumes/syncthing_data/_data/folder /home/user/folder -o allow_other

Permission denied

Things I tried

  • Adding other options like gid 0,27,1000 uid 0,27,1000 default_permissions
  • Finding my way through stackoverflow, unix.stackexchange…

Solution I found

  1. Making a bind mount from the root owned path to a new path owned by server

sudo mount --bind /var/lib/docker/volumes/syncthing_data/_data/folder /home/server/folder

  1. Mount point with sshfs

sshfs server@10.0.0.100:/home/server/folder /home/user/folder

Question

While the above solution works, It overcomplicates my setup and adds an unecessary mount point to my laptop and fstab.

Isn’t there a more elegant solution to work directly with the user server (which has root access) to mount the folder with sshfs directly even if the folder path is owned by root?

I mean the user has root access so something like:

sshfs server@10.0.0.100:/home/server/folder /home/user/folder -o allow_other should work even if the first part of the path is owned by root.

Changing owner/permission of the path recursively is out of question !

Thank you for your insights !

  • redcalcium@lemmy.institute
    3·
    7 months ago

    In that case, perhaps replacing -o sftp_server="/usr/bin/sudo /usr/lib/openssh/sftp-server" with -o sftp_server="/usr/bin/sudo -u <syncthing_user> /usr/lib/openssh/sftp-server" is a good compromise?

    • Successful_Try543@feddit.de
      2·
      7 months ago

      Yes, the permissions of <syncthing_user> should be sufficient. I was not aware, that OP might not really need root access.

    • N0x0n@lemmy.mlOP
      1·
      7 months ago

      Hey thank you for the nice tip ! This looks actually promising and exactly what I needed !

      Going with this route, which seems way more secure. Fiddling with sudoers permissions seems a bad idea in the first place !

      Thank you very much 👋