New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSHFS always follows symbolic links (even for eg. lchown) #105
Comments
Most probably the SFTP server calls chown(2) to set the ownership, which attempts to set ownership of the target of the symlink (contratry to lchown(2)). The SFTP command SETSTAT (https://tools.ietf.org/html/draft-ietf-secsh-filexfer-13#section-8.6) does not provide a way to explicitely request a "lchown". |
I agree with g-raud. I'm not sure if there's a way to improve the behavior. At first I thought that maybe we should just not translate lchown to chown - but this translation actually happens in the kernel. sshfs just gets an inode, and can't tell if the original call was chown or lchown. |
See also issue #250 for the related problem when setting other inode attributes. |
Copying my comment from issue #250 There is an OpenSSH extension (and almost everybody uses OpenSSH so that is enough) to support this.
|
I was just about to file a new issue titled
when I discovered this existing issue. Posting what I wanted to post there here for googleability: I found that sshfs silently ignores Repro: # Create sshfs mount with a symlink pointing to a file
mkdir -p sshfs-dir
touch sshfs-dir/myfile
ln -s myfile sshfs-dir/link-to-myfile
mkdir -p sshfs-mount
sshfs localhost:sshfs-dir sshfs-mount
chown --no-dereference $(whoami):wheel sshfs-mount/link-to-myfile
ls -l sshfs-dir
# Now `myfile` is owned by group `wheel` -- it followed the symlink despite `--no-dereference`! Another repro that shows that mkdir -p sshfs-dir
mkdir -p sshfs-mount
sshfs localhost:sshfs-dir sshfs-mount
ln -s nowhere sshfs-mount/symlink-pointing-nowhere
chown --no-dereference $USER sshfs-dir/symlink-pointing-nowhere # works as expected
chown --no-dereference $USER sshfs-mount/symlink-pointing-nowhere
# The last command fails incorrectly with:
# chown: changing ownership of 'sshfs-mount/symlink-pointing-nowhere': No such file or directory
# `strace -fye newfstatat,fchownat` on the last command shows that it's not `chown`'s fault,
# it simply reports what the kernel and `sshfs` return:
#
# newfstatat(AT_FDCWD</home/niklas>, "sshfs-mount/symlink-pointing-nowhere", {st_mode=S_IFLNK|0777, st_size=7, ...}, AT_SYMLINK_) = 0
# fchownat(AT_FDCWD</home/niklas>, "sshfs-mount/symlink-pointing-nowhere", 1000, -1, AT_SYMLINK_) = -1 ENOENT (No such file or directory)
#
# The `newfstatat()` proves that the symlink exists, so returning `ENOENT` is wrong.
# That `fchownat` result should be the same as when run against `sshfs-dir`:
#
# fchownat(AT_FDCWD</home/niklas>, "sshfs-dir/symlink-pointing-nowhere", 1000, -1, AT_SYMLINK_) = 0 |
Wouldn't it be safer from a security perspective that sshfs should fail loudly when |
Absolutely, yes. I don't see how it could be implemented though. As far as I know, things like |
Maybe it would make sense to create an upstream kernel bug / feature request, so this can be tracked? |
https://pastebin.com/fH356wkk
when symlink is copied over SSHFS it results in error "Permission denied" (if file exists on host and sshfs user doesn't have permission to it) or "No such file or directory" (if it doesn't) while performing the same operation on local filesystem results with success. It breaks scripts basing on return codes.
Simple example with
/etc/shadow
:The text was updated successfully, but these errors were encountered: