libfuse/doc/mount.fuse3.8
gandalfs_cat 54b8cd6757 high-level: add fmask and dmask options
dmask: umask applied to directories
fmask: umask applied to non-directories

to get "typical" permission bits for regular files (0644) and directories (0755), a single
umask option is not sufficient (or well, it isn't the way fuse implements it)

there is precident for separate umask and dmask options in other
filesystems (see for example fat: https://github.com/torvalds/linux/tree/master/fs/fat)

this addition should not affect backward-compatibility; the original
umask option retains the same meaning, but non-zero fmask or
dmask will override it.
2024-07-03 12:50:06 +02:00

274 lines
13 KiB
Groff

.TH fuse "8"
.SH NAME
fuse \- configuration and mount options for FUSE file systems
.SH DESCRIPTION
FUSE (Filesystem in Userspace) is a simple interface for userspace programs to export a virtual filesystem to the Linux kernel. FUSE also aims to provide a secure method for non privileged users to create and mount their own filesystem implementations.
.SH DEFINITIONS
.TP
\fBFUSE\fP
The in-kernel filesystem that forwards requests to a user-space
process.
.TP
\fBfilesystem\fP
The user-space process that responds to requests received from the
kernel.
.TP
\fBlibfuse\fP
The shared library that most (user-space) filesystems use to
communicate with FUSE (the kernel filesystem). libfuse also provides
the \fBfusermount3\fP (or \fBfusermount\fP if you have older version of
libfuse) helper to allow non-privileged users to mount filesystems.
.TP
\fBfilesystem owner\fP
The user that starts the filesystem and instructs the kernel to
associate it with a particular mountpoint. The latter is typically done
by the filesystem itself on start-up. When using libfuse, this is done
by calling the \fBfusermount3\fP utility.
.TP
\fBclient\fP
Any process that interacts with the mountpoint.
.SH CONFIGURATION
Some options regarding mount policy can be set in the file \fI/etc/fuse.conf\fP. Currently these options are:
.TP
\fBmount_max = NNN\fP
Set the maximum number of FUSE mounts allowed to non-root users. The default is 1000.
.TP
\fBuser_allow_other\fP
Allow non-root users to specify the \fBallow_other\fP or
\fBallow_root\fP mount options (see below).
.TP
These limits are enforced by the \fBfusermount3\fP helper, so they can be avoided by filesystems that run as root.
.SH OPTIONS
Most of the generic mount options described in \fBmount\fP are
supported (\fBro\fP, \fBrw\fP, \fBsuid\fP, \fBnosuid\fP, \fBdev\fP,
\fBnodev\fP, \fBexec\fP, \fBnoexec\fP, \fBatime\fP, \fBnoatime\fP,
\fBsync\fP, \fBasync\fP, \fBdirsync\fP). Filesystems are mounted with
\fBnodev,nosuid\fP by default, which can only be overridden by a
privileged user.
.SS "General mount options:"
These are FUSE specific mount options that can be specified for all filesystems:
.TP
\fBdefault_permissions\fP
This option instructs the kernel to perform its own permission check
instead of deferring all permission checking to the
filesystem. The check by the kernel is done in addition to any
permission checks by the filesystem, and both have to succeed for an
operation to be allowed. The kernel performs a standard UNIX permission
check (based on mode bits and ownership of the directory entry, and
uid/gid of the client).
This mount option is activated implicitly if the filesystem enables
ACL support during the initial feature negotiation when opening the
device fd. In this case, the kernel performs both ACL and standard
unix permission checking.
Filesystems that do not implement any permission checking should
generally add this option internally.
.TP
\fBallow_other\fP
This option overrides the security measure
restricting file access to the filesystem owner, so that all users
(including root) can access the files.
.TP
\fBrootmode=M\fP
Specifies the file mode of the filesystem's root (in octal
representation).
.TP
\fBblkdev\fP
Mount a filesystem backed by a block device. This is a privileged
option. The device must be specified with the \fBfsname=NAME\fP
option.
.TP
\fBblksize=N\fP
Set the block size for the filesystem. This option is only valid
for 'fuseblk' type mounts. The default is 512.
In most cases, this option should not be specified by
the filesystem owner but set internally by the filesystem.
.TP
\fBmax_read=N\fP
With this option the maximum size of read operations can be set. The
default is infinite, but typically the kernel enforces its own limit
in addition to this one. A value of zero corresponds to no limit.
This option should not be specified by the filesystem owner. The
correct (or optimum) value depends on the filesystem implementation
and should thus be set by the filesystem internally.
This mount option is deprecated in favor of direct negotiation over
the device fd (as done for e.g. the maximum size of write
operations). For the time being, libfuse-using filesystems that want
to limit the read size must therefore use this mount option \fIand\fP
set the same value again in the init() handler.
.TP
\fBfd=N\fP
The file descriptor to use for communication between the userspace
filesystem and the kernel. The file descriptor must have been
obtained by opening the FUSE device (/dev/fuse).
This option should not be specified by the filesystem owner. It is set
by libfuse (or, if libfuse is not used, must be set by the filesystem
itself).
.TP
\fBuser_id=N\fP
\fBgroup_id=N\fP
Specifies the numeric uid/gid of the mount owner.
This option should not be specified by the filesystem owner. It is set
by libfuse (or, if libfuse is not used, must be set by the filesystem
itself).
.TP
\fBfsname=NAME\fP
Sets the filesystem source (first field in \fI/etc/mtab\fP). The
default is the name of the filesystem process.
.TP
\fBsubtype=TYPE\fP
Sets the filesystem type (third field in \fI/etc/mtab\fP). The default
is the name of the filesystem process. If the kernel supports it, \fI/etc/mtab\fP and \fI/proc/mounts\fP will show the filesystem type as \fBfuse.TYPE\fP
If the kernel doesn't support subtypes, the source field will be
\fBTYPE#NAME\fP, or if \fBfsname\fP option is not specified, just
\fBTYPE\fP.
.SS "libfuse-specific mount options:"
These following options are not actually passed to the kernel but
interpreted by libfuse. They can be specified for all filesystems
that use libfuse:
.TP
\fBallow_root\fP
This option is similar to \fBallow_other\fP but file access is limited
to the filesystem owner and root. This option and \fBallow_other\fP are mutually exclusive.
.TP
\fBauto_unmount\fP
This option enables automatic release of the mountpoint if filesystem
terminates for any reason. Normally the filesystem is
responsible for releasing the mountpoint, which means that the
mountpoint becomes inaccessible if the filesystem terminates
without first unmounting.
This option is dangerous and should only be used after careful consideration of the
risks.
Automatically unmounting the filesystem means that if the filesystem crashes the
mountpoint may suddenly appear empty, which may have unintended consequences. For example,
a running backup and mirroring program may conclude that all the data in the filesystem
has been deleted and proceed to propagate this deletion to the backup / remote system. If
the mountpoint instead becomes inaccessible (the default), most programs will behave
correctly (report an error).
This feature may also accidentally unmount the wrong filesystem due to race
conditions. For example, if another filesystem was mounted underneath the same mountpoint,
or if a new filesystem is mounted after the FUSE process has crashed, it may accidentally
get unmounted.
At the moment, this option implies that the filesystem will also be
mounted with \fBnodev\fP and \fBnosuid\fP (even when mounted by
root). This restriction may be lifted in the future.
.SS "High-level mount options:"
These following options are not actually passed to the kernel but
interpreted by libfuse. They can only be specified for filesystems
that use the high-level libfuse API:
.TP
\fBkernel_cache\fP
This option disables flushing the cache of the file contents on every \fBopen\fP(2). This should only be enabled on filesystems, where the file data is never changed externally (not through the mounted FUSE filesystem). Thus it is not suitable for network filesystems and other "intermediate" filesystems.
\fBNOTE\fP: if this option is not specified (and neither \fBdirect_io\fP) data is still cached after the \fBopen\fP(2), so a \fBread\fP(2) system call will not always initiate a read operation.
.TP
\fBauto_cache\fP
This option is an alternative to
\fBkernel_cache\fP. Instead of unconditionally keeping cached data, the
cached data is invalidated on \fBopen\fP(2) if the modification
time or the size of the file has changed since it was last opened.
.TP
\fBumask=M fmask=M dmask=M\fP
Override the permission bits set by the filesystem in \fIst_mode\fP. The resulting permission bits are the ones missing from the mask value, which is given in octal representation. \fBfmask\fP and \fBdmask\fP (respectively) may be used to control the permission bits of files and directories separately. umask is overridden by the individual fmask and dmask options.
.TP
\fBuid=N\fP
Override the \fIst_uid\fP field set by the filesystem (N is numeric).
.TP
\fBgid=N\fP
Override the \fIst_gid\fP field set by the filesystem (N is numeric).
.TP
\fBentry_timeout=T\fP
The timeout in seconds for which name lookups will be cached. The default is 1.0 second. For all the timeout options, it is possible to give fractions of a second as well (e.g. \fBentry_timeout=2.8\fP)
.TP
\fBnegative_timeout=T\fP
The timeout in seconds for which a negative lookup will be cached. This means, that if file did not exist (lookup returned \fBENOENT\fP), the lookup will only be redone after the timeout, and the file/directory will be assumed to not exist until then. The default is 0.0 second, meaning that caching negative lookups are disabled.
.TP
\fBattr_timeout=T\fP
The timeout in seconds for which file/directory attributes are cached. The default is 1.0 second.
.TP
\fBac_attr_timeout=T\fP
The timeout in seconds for which file attributes are cached for the purpose of checking if \fBauto_cache\fP should flush the file data on open. The default is the value of \fBattr_timeout\fP
.TP
\fBnoforget\fP
.TP
\fBremember=T\fP
Normally, libfuse assigns inodes to paths only for as long as the kernel
is aware of them. With this option inodes are instead assigned
for at least \fBT\fP seconds (or, in the case of \fBnoforget\fP,
the life-time of the filesystem). This will require more
memory, but may be necessary when using applications that make use of
inode numbers.
.TP
\fBmodules=M1[:M2...]\fP
Add modules to the filesystem stack. Modules are pushed in the order they are specified, with the original filesystem being on the bottom of the stack.
.SS "\fBmount.fuse3\fP options:"
These options are interpreted by \fBmount.fuse3\fP and are thus only available when mounting a file system via \fBmount.fuse3\fP (such as when mounting via the generic \fBmount\fP(1) command or \fI/etc/fstab\fP). Supported options are:
.TP
\fBsetuid=USER\fP
Switch to \fBUSER\fP and its primary group before launching the FUSE file system process. mount.fuse3 must be run as root or with \fBCAP_SETUID\fP and \fBCAP_SETGID\fP for this to work.
.TP
\fBdrop_privileges\fP
Perform setup of the FUSE file descriptor and mounting the file system before launching the FUSE file system process. \fBmount.fuse3\fP requires privilege to do so, i.e. must be run as root or at least with \fBCAP_SYS_ADMIN\fP and \fBCAP_SETPCAP\fP. It will launch the file system process fully unprivileged, i.e. without \fBcapabilities\fP(7) and \fBprctl\fP(2) flags set up such that privileges can't be reacquired (e.g. via setuid or fscaps binaries). This reduces risk in the event of the FUSE file system process getting compromised by malicious file system data.
.SH FUSE MODULES (STACKING)
Modules are filesystem stacking support to high level API. Filesystem modules can be built into libfuse or loaded from shared object
.SS "iconv"
Perform file name character set conversion. Options are:
.TP
\fBfrom_code=CHARSET\fP
Character set to convert from (see \fBiconv -l\fP for a list of possible values). Default is \fBUTF-8\fP.
.TP
\fBto_code=CHARSET\fP
Character set to convert to. Default is determined by the current locale.
.SS "subdir"
Prepend a given directory to each path. Options are:
.TP
\fBsubdir=DIR\fP
Directory to prepend to all paths. This option is \fImandatory\fP.
.TP
\fBrellinks\fP
Transform absolute symlinks into relative
.TP
\fBnorellinks\fP
Do not transform absolute symlinks into relative. This is the default.
.SH SECURITY
The fusermount3 program is installed set-user-gid to fuse. This is done to allow users from fuse group to mount
their own filesystem implementations.
There must however be some limitations, in order to prevent Bad User from
doing nasty things. Currently those limitations are:
.IP 1.
The user can only mount on a mountpoint, for which it has write permission
.IP 2.
The mountpoint is not a sticky directory which isn't owned by the user (like \fI/tmp\fP usually is)
.IP 3.
No other user (including root) can access the contents of the mounted filesystem.
.SH NOTE
FUSE filesystems are unmounted using the \fBfusermount3\fP(1) command (\fBfusermount3 -u mountpoint\fP).
.SH "AUTHORS"
.LP
FUSE is currently maintained by Nikolaus Rath <Nikolaus@rath.org>
.LP
The original author of FUSE is Miklos Szeredi <mszeredi@inf.bme.hu>.
.LP
This man page was originally written by Bastien Roucaries <roucaries.bastien+debian@gmail.com> for the
Debian GNU/Linux distribution.
.SH SEE ALSO
.BR fusermount3 (1)
.BR fusermount (1)
.BR mount (8)
.BR fuse (4)