Browse Source

readme: document no-new-privileges issue

Fabian Peter Hammerle 2 years ago
parent
commit
c12b5be096
2 changed files with 14 additions and 2 deletions
  1. 13 1
      README.md
  2. 1 1
      mount.sh

+ 13 - 1
README.md

@@ -24,7 +24,7 @@ A random password will be generated and stored in `/secret/password`.
 
 Set the env var `$ENCFS_PASSWORD_LENGTH` to change its length.
 
-## Access encrypted data
+## Access Encrypted Data
 
 Add `-v /somewhere:/encrypted:shared` to mount the encrypted view of `/plain/*` into the host filesystem.
 
@@ -38,3 +38,15 @@ See [examples/rsync-sshd](examples/rsync-sshd/docker-compose.yml)
 
 Grant rsync access to a gpg-encrypted view of the encfs password:
 [examples/rsync-sshd-incl-gpg-enc-pwd](examples/rsync-sshd-incl-gpg-enc-pwd/docker-compose.yml)
+
+## Known Issues
+
+Mount fails with `EPERM / Operation not permitted`
+when enabling `--security-opt=no-new-privileges`.
+
+`fusermount` must run with `uid=0`.
+`no-new-privileges` makes the `setuid` bit ineffective:
+```sh
+$ stat -c '%A %U %G' /bin/fusermount
+-rwsr-xr-x root root
+```

+ 1 - 1
mount.sh

@@ -10,7 +10,7 @@ if [ ! -f "$ENCFS_PASSWORD_PATH" ]; then
     [ -f "$ENCFS_SOURCE_CONFIG_PATH" ] && (set -x; rm "$ENCFS_SOURCE_CONFIG_PATH")
 fi
 
-# cave: when $ENCFS6_CONFIG is set, encfs excepts the config to already exist
+# cave: when $ENCFS6_CONFIG is set, encfs expects the config to already exist
 # ERROR fatal: config file specified by environment does not exist: /target/config/encfs6.xml [FileUtils.cpp:246]
 # https://github.com/vgough/encfs/issues/497