[Lxc-users] FUSE and capabilities

Daniel Lezcano daniel.lezcano at free.fr
Mon Feb 14 16:03:07 UTC 2011


On 02/14/2011 04:41 PM, Milan Zamazal wrote:
> I tried to use FUSE/EncFS in a container on a Debian 6.0 machine and
> I've found I have to enable CAP_SYS_ADMIN in order to make it work.
> Without it, permission error is reported on encfs invocation (and yes,
> I've got /dev/fuse enabled in lxc.cgroup.devices.allow, it wouldn't work
> without it even with CAP_SYS_ADMIN set).
>
> Do I have to enable CAP_SYS_ADMIN to allow any mount in a container or
> is there a way to allow user mounts (such as FUSE or USB flash mounts)
> without giving such a wide permission to the container?

I don't think so. The 'mount' syscall checks the CAP_SYS_ADMIN, in all 
the cases, host or container.
AFAIR, the user mountable points are handled by the mount command wrt 
the fstab file and the 'user/users' keyword.




More information about the lxc-users mailing list