How to correctly SSHFS mount a www-data directory?

g4njawizard · 06-16-2021, 09:51 AM

Hello Friends,

I currently try to mount a data directory from my Nextcloud Server to my local machine.
With

Code:

sshfs user@ncloud:/mnt/data/user/files nc-share

I can mount the directory, but I get a permission denied when I try to copy files.
I thought that adding

Code:

usermod -aG www-data user

would do the job, but I was wrong. I cant copy files in there without sudo permissions
Any Idea whats wrong?

Current permission of the directory

Code:

drwxr-xr-x 6 www-data www-data 4.0K Jun 16 15:29 files

And my users groups:

Code:

uid=1001(user) gid=1001(user) groups=1001(user),27(sudo),33(www-data)

scasey · 06-16-2021, 10:58 AM

The directory is not group writable, so being a member of the group doesn’t help.

In my experience, files in/under the DocumentRoot should be owned by the user with which you are connecting. I think it is not a good practice for them to be owned by www-data.

g4njawizard · 06-16-2021, 12:39 PM

So what would you recommend? Should I make the User and Users group the owner of that directory and add www-data to the users group? I dont know if this works, since this directory is usually for serving files via webinterface.

Turbocapitalist · 06-16-2021, 01:37 PM

The group www-data should not ever have any other member than www-data itself, except in some unusual edge cases. I'd second the recommendation of having the directory owned by the user that is doing the uploading.

If you are sharing write access to the directory among more than one account, then try my blog entry on Sharing Write Access to a Web Directory for Multiple Users.

g4njawizard · 06-17-2021, 01:12 AM

I tried it your way but that didnt work.

Code:

groupadd ssh-fs
gpasswd -a www-data ssh-fs
gpasswd -a user ssh-fs
chown -R root:ssh-fs  /mnt/data/user/files
sudo find /mnt/data/user/files/ -type d -exec chmod u=rwx,g=rwxs,o=rx "{}" \;
sudo find /mnt/data/user/files/ -type f -exec chmod u=rw,g=rw,o=r "{}" \;
drwxrwsr-x 6 root     ssh-fs   4.0K Jun 16 15:29 files

user@ncloud:~# cp test.txt /mnt/data/user/files
cp: failed to access '/mnt/data/user/files': Permission denied

Of course I logged out and in again to make the changes take effect.
For setfacl, this isnt installed on my pi, so this wont work.

umask is 22

Turbocapitalist · 06-17-2021, 02:09 AM

Sorry, I forgot that adding SSHFS complcates things.

If the account mounting the remote directory via SSHFS is a member of the ssh-fs group, then it can assign the mount to that group. You'll need to know the numeric group id for the ssh-fs group and put that where it says 1105 below:

Code:

sshfs -o allow_other,reconnect,gid=1105 \
        user@ncloud:/mnt/data/user/files nc-share

That sets the mounted directory as group 1105 and thereafter the filesystem group settings should work if set as for a shared group.

You might have to add "user_allow_other" to the file /etc/fuse.conf for the allow_other option to work. Mounting by root does not need that change.

PS. Just a reminder, if you've changed group memberships for an account, you have to log out and back in again for the memberships to take effect.

g4njawizard · 06-17-2021, 02:36 AM

No Problem mate.

SSHFS shouldnt be the problem at this stage.
As you can see in my previous comment, I tried moving a file from the current systemuser on the server.

Code:

user@ncloud:~# cp test.txt /mnt/data/user/files
cp: failed to access '/mnt/data/user/files': Permission denied

I also mentioned, that I logged out and in for the changes to take effect.

The above directories are owned by www-data. Could this cause the issue?

Code:

drwxr-xr-x   3 root root 4.0K Dec  7  2020 mnt
drwxrwx---  8 www-data www-data 4.0K Dec 10  2020 data

Turbocapitalist · 06-17-2021, 04:13 AM

The allow_other is needed for others to have the potential even be able to read the directory at all. Then the group on the client system has to be set up using gid= so that the number is the GID of the shared group. Then on the server that [font=courier]sshfs[/courier] is connecting to, do the group settings for a shared group.