I observed some unexpected behaviors when using unix authentication in EOS FUSE mount. I have a user named laf on my MGM-QDB-FST co-located virtual machine for testing:
> grep laf /etc/passwd
laf:x:1000:1000:laf:/home/laf:/bin/zsh
and the EOS vid config is:
> eos vid ls
publicaccesslevel: => 1024
sudoer => uids()
tokensudo => always
unix:"<pwd>":gid => root
unix:"<pwd>":uid => root
and commands like eos touch and eos chown work with privilege limitations as expected, but if I am in the FUSE mount directory, I actually become root user:
laf> ls -alh /eos/dev/test
total 13M
drwxrwxr-x. 2 root root 4.0K Oct 5 16:17 .
drwxrwxr-x. 2 root root 4.0K Oct 5 15:33 ..
laf> echo "test" > /eos/dev/test/test.txt
laf> ls -alh /eos/dev/test
total 13M
drwxrwxr-x. 1 root root 4.0K Oct 5 16:32 .
drwxrwxr-x. 2 root root 4.0K Oct 5 15:33 ..
-rw-r--r--. 1 root root 5 Oct 5 16:33 test.txt
and I can chown or chmod on anything, which is definitely unexpected. Is this behavior due to my misconfiguration or misunderstanding? How can I configure unix auth for FUSE mount correctly?
Hi Anfeng,
this is an artefact, that you have the client sitting on the namespace node itself and connecting to localhost. Try the same connecting from an external VM. But I will have a look to change that, since it is indeed ‘not what you would expect’.
Ah ok,
so the problem is, that you should NOT enable unix authentication !!!
Global Unix authentication is first unsafe. We don’t use that anywhere in production like that.
First do:
eos vid disable unix
Every machine, which you allow to map from UID/GID to a user in EOS you should add using:
eos vid add gateway clienthost.clientdomain unix
This uses a different mapping mechanism than enabling UNIX globally and maps to the user on the client machine (by default not allowing root). UNIX globally uses the ID of the process talking to EOS, which in your case probably runs as root, since it is the shared FUSE mount daemon. I probably can also change that behaviour, it would be probably more convenient to just enable UNIX for this cases and have this working also for FUSE.
If you cannot specify your client hosts (because they are dynamic or too many), it is better to use an ‘sss’ key between client and server. I need to add that to the documentation.
Maybe give it a try using the ‘gateway’ configuration and disabling global unix mapping. I will look into having this also as expected when one just enables UNIX globally.