How to set mount permissions right

Dual-O · February 4, 2023, 7:45pm

I'm a bit confused how to setup rclone mount permissions.

my setup:
rclone v1.61.1 on ubuntu 22.04

create a user and group called rclone (uid=997 gid=998)
create a user called test wich is member of the rclone group
create a user test2 wich is not member of the rclone group

my rclone mount commands in my systemd.service file

[Unit]
Description = rclone crypt mount
After = network-online.target

[Service]
Type=notify
ExecStart=/usr/bin/rclone mount GD_crypt:data /mnt/rclone_mount\
        --devname rclone \
        --use-mmap \
        --allow-other \
        --uid 997 \
        --gid 998 \
        --umask 0007 \
        --dir-cache-time 8760h \
        --poll-interval 1h \
        --buffer-size 64M
ExecStop=/bin/fusermount -u -z /mnt/rclone_mount
Restart=on-failure
RestartSec=20s
User=root

[Install]
WantedBy=multi-user.target

Problem:

When I start the mount I see the right permissions
drwxrwx--- 1 rclone rclone 0 Feb 4 19:23 rclone_mount
... but I can access the files with the test2 user wich isn't member of the rclone group.

test2@instance:~$ groups
test2
test2@instance:~$ ls -l /mnt/rclone_mount/test.txt
-rw-rw---- 1 rclone rclone 17 Feb  4 19:39 /mnt/rclone_mount/test.txt
test2@instance:~$ cat /mnt/rclone_mount/test.txt
I can read this!
test2@instance:~$

I was hoping it was because of the --allow-other option but when I remove --allow-other I can't access the mount with the test user wich is member of the rclone group.

test@instance:~$ groups
test rclone
test@instance:~$ ls -l /mnt/rclone_mount
d????????? ? ?        ?           ?            ? rclone_mount

setting dir-perms or file-perms doesn't change anything

        --dir-perms 0770 \
        --file-perms 0660 \

Thanks in advance

Dual-O · February 4, 2023, 10:16pm

I found the failure... --default-permissions is needed.

   default_permissions
          This option instructs the kernel to perform its own  permission  check  instead  of
          deferring  all  permission  checking  to the filesystem. The check by the kernel is
          done in addition to any permission checks by  the  filesystem,  and  both  have  to
          succeed  for  an  operation  to  be  allowed.  The  kernel performs a standard UNIX
          permission check (based on mode bits and ownership  of  the  directory  entry,  and
          uid/gid of the client).

          This  mount  option  is  activated implicitly if the filesystem enables ACL support
          during the initial feature negotiation when opening the device fd.  In  this  case,
          the kernel performs both ACL and standard unix permission checking.

          Filesystems that do not implement any permission checking should generally add this
          option internally.

   allow_other
          This  option  overrides  the  security  measure  restricting  file  access  to  the
          filesystem owner, so that all users (including root) can access the files.

source

system · February 11, 2023, 11:53pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.