Bind mounts from mergerfs filesystems require

[henryptung]

Describe the bug

When a bind mount is made from a directory, access control to the mount location is controlled by the permissions/ACLs set on the source directory/inode, and does not depend on access to parents of the source directory. However, mergerfs seems to require access to ancestors for unprivileged users to see/access the bind mount.

To Reproduce

Starting using root user, on Arch Linux system x86_64 with current upgrades.

Preparation

$ (dd if=/dev/zero of=testbed.img bs=16M count=1; mkfs.ext4 testbed.img) >/dev/null 2>&1
$ mkdir testbed && mount testbed.img testbed
$ cd testbed
$ (dd if=/dev/zero of=disk.ext4 bs=4M count=1; mkfs.ext4 disk.ext4) >/dev/null 2>&1
$ mkdir -p mnt/{ext4,mergerfs,target} && mount disk.ext4 mnt/ext4
$ mkdir -p mnt/ext4/root-only/src
$ chmod 700 mnt/ext4/root-only
$ chmod 777 mnt/ext4/root-only/src
$ mount -t mergerfs -o allow_other,use_ino,cache.files=partial,dropcacheonclose=true,category.create=mfs mnt/ext4 mnt/mergerfs

State check with root user after prep

$ ls -liR mnt
mnt:
total 3
                  2 drwxr-xr-x 4 root root 1024 Jun 18 17:07 ext4
5424983562661234939 drwxr-xr-x 4 root root 1024 Jun 18 17:07 mergerfs
               2052 drwxr-xr-x 2 root root 1024 Jun 18 17:07 target

mnt/ext4:
total 13
11 drwx------ 2 root root 12288 Jun 18 17:07 lost+found
12 drwx------ 3 root root  1024 Jun 18 17:07 root-only

mnt/ext4/lost+found:
total 0

mnt/ext4/root-only:
total 1
13 drwxrwxrwx 2 root root 1024 Jun 18 17:07 src

mnt/ext4/root-only/src:
total 0

mnt/mergerfs:
total 13
10308613573065218086 drwx------ 2 root root 12288 Jun 18 17:07 lost+found
 9502623902895214744 drwx------ 3 root root  1024 Jun 18 17:07 root-only

mnt/mergerfs/lost+found:
total 0

mnt/mergerfs/root-only:
total 1
9471441698076499429 drwxrwxrwx 2 root root 1024 Jun 18 17:07 src

mnt/mergerfs/root-only/src:
total 0

mnt/target:
total 0

State check with unprivileged user after prep

$ sudo -u nobody ls -liR mnt
mnt:
total 3
                  2 drwxr-xr-x 4 root root 1024 Jun 18 17:07 ext4
5424983562661234939 drwxr-xr-x 4 root root 1024 Jun 18 17:07 mergerfs
               2052 drwxr-xr-x 2 root root 1024 Jun 18 17:07 target

mnt/ext4:
total 13
11 drwx------ 2 root root 12288 Jun 18 17:07 lost+found
12 drwx------ 3 root root  1024 Jun 18 17:07 root-only
ls: cannot open directory 'mnt/ext4/lost+found': Permission denied
ls: cannot open directory 'mnt/ext4/root-only': Permission denied

mnt/mergerfs:
total 13
10308613573065218086 drwx------ 2 root root 12288 Jun 18 17:07 lost+found
 9502623902895214744 drwx------ 3 root root  1024 Jun 18 17:07 root-only
ls: cannot open directory 'mnt/mergerfs/lost+found': Permission denied
ls: cannot open directory 'mnt/mergerfs/root-only': Permission denied

mnt/target:
total 0

Bind mount from ext4

$ mount --bind mnt/ext4/root-only/src mnt/target

State check with root user

$ ls -li mnt mnt/target
mnt:
total 3
                  2 drwxr-xr-x 4 root root 1024 Jun 18 17:07 ext4
5424983562661234939 drwxr-xr-x 4 root root 1024 Jun 18 17:07 mergerfs
                 13 drwxrwxrwx 2 root root 1024 Jun 18 17:07 target

mnt/target:
total 0

State check with unprivileged user

$ sudo -u nobody ls -li mnt mnt/target
mnt:
total 3
                  2 drwxr-xr-x 4 root root 1024 Jun 18 17:07 ext4
5424983562661234939 drwxr-xr-x 4 root root 1024 Jun 18 17:07 mergerfs
                 13 drwxrwxrwx 2 root root 1024 Jun 18 17:07 target

mnt/target:
total 0

Bind mount from mergerfs

$ umount mnt/target
$ mount --bind mnt/mergerfs/root-only/src mnt/target

State check with root user

$ ls -li mnt mnt/target
mnt:
total 3
                  2 drwxr-xr-x 4 root root 1024 Jun 18 17:07 ext4
5424983562661234939 drwxr-xr-x 4 root root 1024 Jun 18 17:07 mergerfs
9471441698076499429 drwxrwxrwx 2 root root 1024 Jun 18 17:07 target

mnt/target:
total 0

State check with unprivileged user

$ sudo -u nobody ls -li mnt mnt/target
ls: mnt/target: No such file or directory
mnt:
ls: mnt/target: No such file or directory
total 3
                  2 drwxr-xr-x 4 root root 1024 Jun 18 17:07 ext4
5424983562661234939 drwxr-xr-x 4 root root 1024 Jun 18 17:07 mergerfs
9471441698076499429 drwxrwxrwx 2 root root 1024 Jun 18 17:07 target
ls: cannot open directory 'mnt/target': No such file or directory

Granting access to unprivileged user

$ chown nobody:nobody mnt/ext4/root-only

State check with root user

$ ls -li mnt mnt/target
mnt:
total 3
                  2 drwxr-xr-x 4 root root 1024 Jun 18 17:07 ext4
5424983562661234939 drwxr-xr-x 4 root root 1024 Jun 18 17:07 mergerfs
9471441698076499429 drwxrwxrwx 2 root root 1024 Jun 18 17:07 target

mnt/target:
total 0

State check with unprivileged user

$ sudo -u nobody ls -li mnt mnt/target
mnt:
total 3
                  2 drwxr-xr-x 4 root root 1024 Jun 18 17:07 ext4
5424983562661234939 drwxr-xr-x 4 root root 1024 Jun 18 17:07 mergerfs
9471441698076499429 drwxrwxrwx 2 root root 1024 Jun 18 17:07 target

mnt/target:
total 0

Expected behavior

Unprivileged users should have access to the bind mount, just like they do when the bind mount is done from a non-mergerfs filesystem, regardless of the ACLs on ancestors of the source directory.

System information:

$ uname -a
Linux HPT-Server 5.18.3-arch1-1 #1 SMP PREEMPT_DYNAMIC Thu, 09 Jun 2022 16:14:10 +0000 x86_64 GNU/Linux
$ mergerfs --version
mergerfs version: 2.33.5

See above for mergerfs settings. Test was done entirely using disk images; no physical disks.

ls.strace.txt - run using strace -u nobody ... ls -li mnt mnt/target.

mergerfs.strace.txt

Note that the straces are from a different run, paused at the Bind mount from mergerfs. Unclear why the directory shows as ????????? this time, but that tends to happen as well.

[trapexit]

Generally speaking mergerfs doesn't control anything regarding permissions. The kernel does. mergerfs returns back the permissions and user:group and the kernel does the rest.

I'll have to dig deeper into it to see. Could be some quirk with the kernel.