FUSE problem: encfs over sshfs

Strunzdesign · Posted: Wed Nov 16, 2005 7:07 pm Post subject: FUSE problem: encfs over sshfs

Hi!

My motivation:
I have access to a fileserver which has a nice raid5 storage array attached to it. The server runs Gentoo linux (of course! *g*) and offers me access via ssh. Additionally, this system is attached to a central backup system (which is generally nice) offered by our computer center with the result that my home directory is copied to a location that is not under my control. So I thought of storing my data using encryption.

Since Linux kernel 2.6.14 I'm able to use FUSE, which is a really great invention! :-)

My idea was to mount a directory residing on the fileserver using "sshfs" (sshfs-fuse) and then to attach "encfs" (another FUSE plugin, which does encryption) to it. The result would be a local directory on my workstation which would be mapped to the fileserver using ssh and encryption. Encfs is really great for this because it does not need "containers" with a given filesize but grows with its content.

What I tried to get it working, step by step:
server: The hostname of the "fileserver"
client: My machine

* On the fileserver, I went to my home directory and created a new directory for storage
florian@server ~ $ mkdir crypt

* I changed the directory to be inaccesible by "normal" users:
chmod og-rwx crypt
florian@server ~ $ ls -al
drwx------ 2 florian mygroup 72 Nov 16 19:19 crypt

* Additional info: florian@server has UID=4405 and GID=110
* On my local machine "client", I created two directories, one for the encrypted data imported by sshfs and one for the decypted data presented by "encfs":
florian@client ~ $ mkdir server-crypt
florian@client ~ $ mkdir server-clear

* Additional Info: florian@client has UID=1000 and GID=100
* Ok, lets mount the stuff (I'm using ssh with public key authentication)
florian@client ~ $ sshfs florian@server:/home/florian/crypt /home/florian/server-crypt/
florian@client ~ $ ls -al
drwxr-xr-x 2 florian users 48 Nov 16 19:18 server-clear
drwx------ 1 4405 110 72 Nov 16 19:19 server-crypt

You can see, FUSE changed the UID and the GID of the sshfs-mountpoint to the values used on the fileserver. I'm not UID=4405 or GID=110 on my local client, but are allowed to enter the directory (It's og-rwx!). I can read and write files, no problems. But they've all UID=4405 and GID=110 because sshfs uses SSH-FTP and what I'm seeing here is the output by something like a "dir" in a ssh-ftp session. Ok, no problems thus far :-)

* Then I tried to attach encfs to it:
florian@client ~ $ encfs /home/florian/server-crypt /home/florian/server-clear
-> Default paranoia mode, simple password, no errors

florian@client ~ $ ls -al
drwx------ 1 4405 110 72 Nov 16 19:48 server-clear
drwx------ 1 4405 110 72 Nov 16 19:48 server-crypt

Now, server-clear/ has UID=4405 and GID=110, which is a big problem: I'm not allowed to enter the directory because encfs took the permissions by its crypt-directory which were copied from the fileserver. The encryption itself is up and running, an ".encfs5" file was created in server-crypt both locally on the client and remotely on the fileserver. But I do not know what I have to do to access server-clear...

florian@client ~ $ cd server-clear/
bash: cd: server-clear/: Permission denied
florian@client ~ $ mount
sshfs#florian@server.x.y.z:/home/florian/crypt on /home/florian/server-crypt type fuse (rw,nosuid,nodev,max_read=65536,user=florian)
encfs on /home/florian/server-clear type fuse (rw,nosuid,nodev,default_permissions,user=florian)

I've no ideas what to try next... I looked to the forum and searched the web, but did not find a solution...

sys-fs/fuse-2.3.0
sys-fs/encfs-1.2.4.1
sys-fs/sshfs-fuse-1.2

The newer versions in "testing" did not work because of a different error. I think that the problem would be "hidden" if I had the same UID and GID both on the server and the client, but it should really work the way I presented because all these are files I should have write access to...

Any ideas? Thanks for your help! :-)

Greetings,
Florian

lousyd · Posted: Fri Nov 25, 2005 10:07 pm Post subject:

Sorry I can't help you, but this is an interesting problem.

I'm trying to set up FUSE right now, which is how I found this post. With 2.6.14, am I still required to emerge fuse? No matter. I look forward to someone answering your post. I would very much like to do what you're trying to do. Maybe once I get FUSE installed and running and start using it, I'll find that I know the solution to your problem.
_________________
Minds are like parachutes... Most people will do their damnedest to avoid having to use one.

drphibes · Guru Joined: 30 Nov 2004 Posts: 432