** Description changed: - My sshfs mounts from /etc/fstab stopped working after upgrading to - Plucky. This is the line from my fstab: + [ Impact ] + + sshfs mounts specified in /etc/fstab would fail to mount when a mount of + all filesystems specified in the fstab was attempted with mount -a. This + was due to a missing noexec mount flag specification in the mount rules. + + [ Test Plan ] + + * The setup instructions assume no access to an existing SSH client-server pair. + - Spin up two Ubuntu Plucky VMs, one of which will be referred to as sshfs-client and the other of which will be referred to as sshfs-server + - Install openssh-server on the server and sshfs on the client + - Ensure that the two machines are able to ping each other using a [machine hostname].local address + - Generate an SSH key on the client and copy it into the ~/.ssh/authorized_keys directory on the server + - Ensure that the client can SSH into the server without a password prompt (using the key) + - Uncomment the "user_allow_other" line in sshfs-client's /etc/fuse.conf + - Create a mountpoint directory somewhere inside sshfs-client's home directory + - Verify that a manual sshfs mount using `sshfs -o _netdev,user,idmap=user,transform_symlinks,allow_other,default_permissions,uid=1000,gid=1000 username@sshfs-server:/path/to/directory /home/username/mountpoint` works, and then unmount the newly created mount + - Add the entry `username@sshfs-server:/path/to/directory /home/username/mountpoint fuse.sshfs _netdev,user,idmap=user,transform_symlinks,allow_other,default_permissions,uid=1000,gid=1000 0 0` to sshfs-client's /etc/fstab + - Attempt to mount the new fstab mount entry with `mount -a` + - Without the fix: the mount will fail with a permission denied error and generate an AppArmor log with "failed flags match" + - With the fix: the mount should succeed + + + [ Where problems could occur ] + + Adding the mount flag to the mount rules loosens confinement on a + profile. However, if a user manually modified the installed profiles, + then the package upgrade would cause conflicts, and rejection of the + incoming changes (either by hand during an interactive upgrade or + automatically during an batch unattended upgrade) would result in end + users not getting the packaged fix. + + [ Other Info ] + + --------Original bug report: + My sshfs mounts from /etc/fstab stopped working after upgrading to Plucky. This is the line from my fstab: ``` [email protected]:/datastore/media /media/Media fuse.sshfs _netdev,user,idmap=user,transform_symlinks,port=22,allow_other,default_permissions,uid=1000,gid=1000 0 0 ``` And I uncommented `user_allow_other` in `/etc/fuse.conf`. Usually I'm able to mount this with `mount -a`, or by simply clicking the mount in Gnome Files (Nautilus). But now I get: ``` mount -a fusermount3: mount failed: Permission denied ``` If I add `sudo` to the mount command, I get: ``` sudo mount -a read: Connection reset by peer ``` But strangely, the mount works just fine if I mount using `sshfs`: ``` sshfs -o _netdev,user,idmap=user,transform_symlinks,port=22,allow_other,default_permissions,uid=1000,gid=1000 [email protected]:/datastore/media /media/Media ``` I suspect it has something to do with apparmor, because the following log appears when I attempt a mount via Nautilus: ``` sudo journalctl -xe | grep DENIED mei 27 13:58:51 saibot kernel: audit: type=1400 audit(1748347131.297:5484): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="fusermount3" name="/media/Media/" pid=69641 comm="fusermount3" fstype="fuse" srcname="[email protected]:/datastore/media" flags="rw, nosuid, nodev, noexec" ```
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2111807 Title: Plucky broke fstab sshfs mounts, which depend on fusermount To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2111807/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
