Package: mergerfs Version: 2.31.0-1 Severity: important X-Debbugs-Cc: spa...@riseup.net
Mergerfs does not work properly when used as a non-root user: $ mkdir a b c $ mergerfs $(realpath a):$(realpath b) c fusermount: mount failed: Operation not permitted After some debugging with strace, it appears that: 1) mergerfs ships it's own private version of fusermount as /usr/bin/mergerfs-fusermount 2) The version of fusermount shipped with the fuse3 package is setuid-root. 3) ...And /usr/bin/mergerfs-fusermount is not. Making /usr/bin/mergerfs-fusermount setuid-root manually makes the problem vanish. So I'm going to bet that the intention is for /usr/bin/mergerfs-fusermount to be installed as setuid-root but that doesn't happen for whatever reason. Since one of the primary benefits of FUSE filesystems is to be able to mount them as a standard user, I think it may be worth fixing this by either: 1) Patching mergerfs to use the system-provided fusermount binary. (Although, there may issues surrounding this approach as mergerfs seems to be using an embedded copy of libfuse as well.) 2) Making /usr/bin/mergerfs-fusermount setuid-root by default. (Though I don't know if there's any extra security red tape surrounding shipping setuid-root binaries in Debian.) Just thought I report the above in the hope that this won't affect future releases. And I'd be interested to know more about the feasibility of both solutions. Thanks, --Grond -- System Information: Debian Release: 11.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: armhf, i386 Kernel: Linux 5.10.0-21-amd64 (SMP w/4 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages mergerfs depends on: ii fuse3 [fuse] 3.10.3-2 ii libc6 2.31-13+deb11u5 ii libfuse2 2.9.9-5 ii libgcc-s1 10.2.1-6 ii libstdc++6 10.2.1-6 mergerfs recommends no packages. mergerfs suggests no packages. -- no debconf information