# PEFS Inside Jail, "Operation not Permitted"



## BawdyAnarchist (Sep 25, 2020)

Made a post earlier about theoretical hidden directories attack vectors and PEFS.  This is a simple question about a problem I'm having.

Inside a jail.  With `allow.mount;` and `enforce_statfs="0";` in /etc/jail.conf, I am getting the error message

```
root@jail:/home/user # ls -I
test
root@jail:/home/user # pefs mount test test
pefs mount: test: Operation not permitted
```

Running `mount` inside the jail shows all mounts on host (obviously since I set allow.mount and enforce_statfs=0).  kldstat shows pefs loaded.  Not sure what I'm missing here.


----------



## Mjölnir (Sep 25, 2020)

PEFS is designed to be used by the user, not by _root_?  `vfs.usermount=1` in sysctl.conf(5).


----------



## BawdyAnarchist (Sep 28, 2020)

mjollnir said:


> PEFS is designed to be used by the user, not by _root_?  `vfs.usermount=1` in sysctl.conf(5).



`vfs.usermount=1` didn't work for me.  I've tried both root and normal user.   I added verbose and I get an output like this:

```
user@personal:~ # pefs mount -v test test
pefs mount: test: Operation not permitted
zroot/jails/personal on /jails/personal (zfs, local, noatime, nfsv4acls)
```

Really stumped here.  I'm sure it's something simple.  I tried other jails too, same results.


----------



## Mjölnir (Sep 28, 2020)

Did you set `allow.mount.devfs` & `devfs_ruleset` in jail.conf(5)?
Maybe pefs(8) is not "jail clean".  Can you mount as user from within the host?
I'm not familiar with the internals of pefs(8), but I would try `allow.mount.fusefs` and/or `allow.mount.nullfs` in jail.conf(5), because pefs(5) might use these mechanisms.
Consider to ask the author via e-mail (manpage).


----------



## BawdyAnarchist (Nov 12, 2021)

I dropped this issue for about a year, but decided to play around with it again recently. Writing this for posterity ...

If you want to get PEFS working inside of a jail, you need to start the jail, and then from the host machine, pefs mount the directory into an already mounted jail directory" `pefs mount /jails/myjail/encrypted_directory /jails/myjail/encrypted_directory`, and then `pefs addkey -c /jails/myjail/encrypted_directory`. This will make the files viewable from inside the running jail.

I tried to enable all the permissions that I could for everything possible inside the jail; but non of it seemed to work. I'm still not sure how to enable a jail to mount filesystems; seeing as how the jail can't exactly see the host filesystem and directory structure. I guess that's for another post; but I know the answer is always to put your mounts in the jail's fstab.


----------

