# Sshfs needs doas, how to use sshfs as an unprivileged user?



## Ethish (Jan 13, 2022)

Using a fresh install of FreeBSD 13.0. I'm trying to mount a remote directory on a linux server via sshfs with the following command:

`sshfs user@x.x.x.x:/home/user/Dir/dir/ /usr/home/anotheruser/DestinationDir/ -p1234 -v -o idmap=user,uid=X,guid=Y,allow_other,follow_symlinks,reconnect`

The command fails with the following statement:

mount_fusefs: /dev/fuse on /usr/home/anotheruser/DestinationDir: Operation not permitted

user_allow_other is in fuse.conf

When using:

`doas sshfs user@x.x.x.x:/home/user/Dir/dir/ /usr/home/anotheruser/DestinationDir/ -p1234 -v -o idmap=user,uid=X,guid=Y,allow_other,follow_symlinks,reconnect`

the remote directory will mount.

I know I must be missing something, but I don't know what.

Does anybody know what is needed to be able to use sshfs without doas?


----------



## rootbert (Jan 13, 2022)

the sysctl vfs.usermount=1 is needed


----------



## Ethish (Jan 13, 2022)

rootbert said:


> the sysctl vfs.usermount=1 is needed


Hi rootbert,
Thank you.
I set the above value in /etc/sysctl.conf, (rebooted) and verified it with `sysctl -a | grep vfs.usermount`, which gives vfs.usermount= 1.
Sshfs still needs doas.

Any other ideas?


----------



## jmos (Jan 14, 2022)

Ethish said:


> Sshfs still needs doas.


I'm using sshfs, but I don't need doas/super/sudo etc. to use it; In your first post there's a hint to /dev/fuse… Maybe: Does your user has the permission to use this device? Check the group of that device, and check if your user belongs to that group. Mine does.


----------



## T-Daemon (Jan 14, 2022)

Ethish said:


> I'm trying to mount a remote directory on a linux server via sshfs with the following command:
> 
> `sshfs user@x.x.x.x:/home/user/Dir/dir/ /usr/home/anotheruser/DestinationDir/ -p1234 -v -o idmap=user,uid=X,guid=Y,allow_other,follow_symlinks,reconnect`



Set `vfs.usermount=1` and remove `allow_other` option.

mount_fusefs(8):

```
allow_other
                     Do not apply STRICT ACCESS POLICY.  Only root can use
                     this option.
```



Ethish said:


> user_allow_other is in fuse.conf



Is not supported on FreeBSD, it seems.


----------



## Ethish (Jan 14, 2022)

jmos said:


> I'm using sshfs, but I don't need doas/super/sudo etc. to use it; In your first post there's a hint to /dev/fuse… Maybe: Does your user has the permission to use this device? Check the group of that device, and check if your user belongs to that group. Mine does.


Hi jmos,

Thank you.

`ls -lah /dev/fuse` gives:

crw-rw-rw- 1 root operator 0x3f Jan14 16:56 /dev/fuse

My user is a member of group operator, this does not seem to be the problem.


----------



## Ethish (Jan 14, 2022)

T-Daemon said:


> Set `vfs.usermount=1` and remove `allow_other` option.
> 
> mount_fusefs(8):
> 
> ...


Thanks, T-Daemon, removing `allow_other` solved the issue.


----------



## kpedersen (Jan 14, 2022)

A little bit of a workaround but can you make the sshfs program setuid?


```
# cp /usr/local/bin/sshfs /usr/local/bin/mount_ssh
# chown root:<username> /usr/local/bin/mount_ssh
# chmod u=rwxs,go=rx /usr/local/bin/mount_ssh
```

Now, when any user in the <username> group executes the binary, it will run as root.
You might want to copy and try it out on the /usr/bin/whoami program first.

Warning: It is very easy with setuid to introduce unintended backdoors. I *believe* sshfs and whoami will not pose a problem but be careful


----------



## tingo (Jan 15, 2022)

kpedersen said:


> A little bit of a workaround but can you make the sshfs program setuid?


and potentially a security issue. You really should mention that when suggesting changing random programs to setuid.


----------



## Ethish (Jan 15, 2022)

kpedersen said:


> A little bit of a workaround but can you make the sshfs program setuid?
> 
> 
> ```
> ...


Hi kpedersen,
Interesting idea, but I prefer to use sshfs with an unprivileged user.
Thanks for the suggestion.


----------



## kpedersen (Jan 15, 2022)

tingo said:


> and potentially a security issue. You really should mention that when suggesting changing random programs to setuid.


A fair point, but I am not sure it reduces security in this case any more than allowing a user to run it via sudo / doas. Though I will edit my post.

Weirdly I didn't see the OP had solved the issue with `allow_other` prior to my post!


----------

