# FUSE: /dev/fuse permissions and subsystem sftp failed

## meowsqueak

I am using a FUSE-enabled kernel:

```
# zcat /proc/config.gz | grep -i fuse

CONFIG_FUSE_FS=y

# uname -a

Linux pc123 2.6.15.1 #1 PREEMPT Thu Jan 19 16:06:46 NZDT 2006 i686 AMD Athlon(tm) XP 3200+ AuthenticAMD GNU/Linux

```

I emerged 'sshfs' today successfully, however this is what happens when I try to connect to a remote server (that knows nothing at all about FUSE):

```
$ mkdir ./mnt

$ sshfs -o sshfs_debug remote:~ ./mnt

Request for subsystem 'sftp' failed on channel 0

remote host has disconnected
```

So I try the local host's name:

```
$ sshfs -o sshfs_debug pc123:~ ./mnt

Warning: Permanently added 'pc123' (RSA) to the list of known hosts.

Server version: 3

fusermount: failed to open /dev/fuse: Permission denied
```

Any idea what is happening here? There seems to be two problems.

1. permissions on /dev/fuse aren't right:

```
$ ls -l /dev/fuse

crw-rw----  1 root root 10, 229 Jan 30 21:02 /dev/fuse

$ cat /etc/udev/rules.d/40-fuse.rules 

KERNEL="fuse", NAME="%k", MODE="0666"
```

Something wrong there.

And:

2. for some reason (perhaps the same one as #1) the remote server is dropping the ssh connection. Note that ssh and scp both work fine to the remote server, using public key authentication.

----------

## JeliJami

```
# ls -l /dev/fuse

crw-rw-rw-  1 root root 10, 229 Nov 28 13:40 /dev/fuse

```

----------

## RuhrpottKai

it's not a bug, it's a (security) feature...

A good idea is to create a crypt group, for users you permit to mount userspace filesystems.

Just edit /etc/udev/rules.d/60-fuse.rules like this:

```

KERNEL=="fuse", NAME="%k", MODE="0666", GROUP="crypt"

```

Have a look at http://www.reactivated.net/writing_udev_rules.html#mode-owner-group

----------

## Nicias

I am having the same trouble:

```
$ eix fuse

...

* sys-fs/fuse

     Available versions:  2.6.0_pre2

     Installed:           2.6.0_pre2

     Homepage:            http://fuse.sourceforge.net

     Description:         An interface for filesystems implemented in userspace.

* sys-fs/sshfs-fuse

     Available versions:  1.2 ~1.3 1.6

     Installed:           1.6

     Homepage:            http://fuse.sourceforge.net/

     Description:         Fuse-filesystem utilizing the sftp service.

```

```
$ lsmod

Module                  Size  Used by

fuse                   32136  0

...
```

```
$ sshfs host.domain.top: ~/mount-point

user@host.domain.top's password:

fusermount: failed to open /dev/fuse: Permission denied

```

```
$ ls -l /dev/fuse

crw-rw---- 1 root root 10, 229 May 24 11:28 /dev/fuse

```

```
 $ cat /etc/udev/rules.d/60-fuse.rules

KERNEL=="fuse", NAME="%k", MODE="0666"

```

----------

## xces

 *Nicias wrote:*   

> I am having the same trouble:

 

Read RuhrpottKai's post...

----------

## Nicias

How do I add a crypto group?

----------

## xces

 *Nicias wrote:*   

> How do I add a crypto group?

 

As root:

```
groupadd crypto

usermod -aG crypto $YOUR_USERNAME
```

----------

## Nicias

I added the group, and added the group= to the udev rule,  still no luck. It is still 0660 owned by root/root. Even though my rule says it should be 0666 and owned by crypto.

/ect/udev/rules.d/60-fuse.rules:

```
KERNEL=="fuse", NAME="%k", MODE="0666", GROUP="crypto"
```

Then I load the module:

```
# modprobe -r fuse

# ls -l /dev/fuse

ls: /dev/fuse: No such file or directory

# modprobe fuse

# ls -l /dev/fuse

crw-rw---- 1 root root 10, 229 May 27 17:10 /dev/fuse
```

Any suggestions?

----------

## xces

Rename /etc/udev/rules.d/60-fuse.rules to /ect/udev/rules.d/40-fuse.rules so that the rules are loaded before 50-udev.rules. Then run `udevstart`.

----------

## Nicias

solved, thanks.

----------

## flazz

is there any reason something like this is not setup by the ebuild? like a FUSE group or a sshfs group? and what about 99-fuse.rules? could i just edit this one?

mine: 

```

KERNEL=="fuse", MODE="0666"

```

or could i just leave it?

what security risk could having any user mount an sshfs that normal ssh/scp wouldnt have?

----------

