Prevent writing to unmounted sshfs mount point

linux mount sshfs

Assuming I have a folder /mnt/mountpoint that I use as a mountpoint for some sshfs-mounted directory: 

sshfs user@host /mnt/mountpoint

Now, I want to prevent applications to write to /mnt/mountpoint while it is unmounted. Questions I found here and here have answers that imply using

sudo chattr +i /mnt/mountpoint

which works fine to prevent any write-access. Unfortunately, it also prevents me from mounting with sshfs as a normal user.

What would be the best solution for this? I would prefer a single sshfs-command or something that at least doesn't require root privileges. Should I forego the chattr approach and try something entirely different?


Solution 1:

Mount point default permissions

Create the mountpoint with

mkdir --mode=0500 -p /mnt/mountpoint

Only the creating user will be able to write to it. You could pre-populate this from rc.local. When you mount whatever filesystem lives on top of that mount point, it will pick up the permissions of that overlay that you had set when it was mounted.

On a side note, I would avoid chattr +i as that will confuse folks and cause troubleshooting fun down the road if not everyone is aware you did that.

Solution 2:

I got this to work with chattr +i by use of the IdentityFile option in sshfs.

For this to work you will need to generate and add your keys to the remote host.

ssh-keygen && ssh-copy-id username@host

After that's done you can use sudo with sshfs to mount the host.

# If not running the sshfs command from a script,
# you need to save the following values prior to running sshfs.
# If you don't, they will be interpreted as the root user's env variables.

sshfs_uid="$UID"
sshfs_gid="$GID"
sshfs_key"$HOME/.ssh/id_rsa"

# Please note that all options passed to sshfs are required.
# Using these options will allow your user to read + write to the mounted dir.
# If they are not passed, your user won't be able to access the mounted dir.

sudo sshfs -o uid=$sshfs_uid -o gid=$sshfs_gid -o IdentityFile=$sshfs_key -o allow_other username@host:/path /path/to/mountpoint

If you want to add this as part of a script or make it automatic on login, you probably don't want to enter the password each time.

To fix that:

sudo visudo

# Assuming your sudo group is "wheel".
# And assuming the permissions for your wheel group look something like this.
%wheel ALL=(ALL) ALL

# Add this line after the above line to allow sshfs mounting without a password
%wheel ALL=(ALL) NOPASSWD:/usr/bin/sshfs*

Related

Is it valid to have SPF records for a domain that is a CNAME?
Secure Graphite installation
How to configure Windows to trust a network share using a GPO?
start systemd service on start of requirement
How do I tell ESXi 5.5 to autostart virtual machines from ssh/CLI only?
What is the good practice for adding known keys/fingerprints to known_hosts
Can I make Nginx automatically OCSP staple certificates at reload/restart?
Is it possible to downgrade Windows Server 2016 Datacenter to Standard?
Register-ClusteredScheduledTask : The parameter is incorrect
IIS 8.5 change bindings on bulk (due to SSL certificate renewal)
High availability Bastion host - Best practices, ELB, EIP?
Using extra CPU time in ESXI for scientific computing