Getting a bit annoyed with permission issues with samba and sshfs. If someone could give me some input on how to find an other more elegant and secure way to share a folder path owned by root, I would really appreciate it !
Context
The following folder path is owned by root (docker volume):
While the above solution works, It overcomplicates my setup and adds an unecessary mount point to my laptop and fstab.
Isn't there a more elegant solution to work directly with the user server (which has root access) to mount the folder with sshfs directly even if the folder path is owned by root?
I mean the user has root access so something like:
sshfs [email protected]:/home/server/folder /home/user/folder -o allow_other should work even if the first part of the path is owned by root.
Changing owner/permission of the path recursively is out of question !
The easiest setup I tried so far is to simply put your docker container's volume on an external path, e.g. /mnt/hdd1/some-directory, instead of putting it in the standard docker location (/var/lib/docker/volume). You'll have full control over ACL on those custom paths.
So the workaround is running the SFTP process as root?
Why not run the SFTP server as a docker container as well (e.g. with https://hub.docker.com/r/atmoz/sftp/ )? You can mount the same volume in the SFTP container, and have it listen on some random port. Just make sure to configure the SFTP container to use the same uid:gid as the one used in the syncthing container to avoid file permission issues.
Please check the correct path to sudo and sftp-server.
However, you need to login via ssh and start a sudo session once before running the command. If someone has a solution to work around this, please feel welcome.
Thanks for your input, you pointed the right direction ! After some more reading, this is what I found.
Adding the following line in sudoers file after @includedir /etc/sudoers.d:
server ALL = NOPASSWD: /usr/lib/openssh/sftp-server
Works without the need of a sudo session for the sftp-server. I have no idea if this is good security practice but If i had to guess I would say no. Having the NOPASSWD argument for something critical as an ftp server seems... Not a good idea ! But I'm not an expert, so I'm just guessing :/.
If I may, how would you tackle such an use case ? My first solution seems way more secure with the right permissions on the bind mount, what do you think ?
As far as I understand, the user server is not the user running your web server e.g. www-data, right? Otherwise I would advise against giving him elevated privileges such as sudo rights.
If the authentication of the user server has sufficiently high level, e.g. a strong password, SSH key authentication, I don't see a high risk in using the NOPASSWD method. But, as I am no expert, please take this with a grain of salt.