fuse - configuration and mount options for FUSE file systems
FUSE (Filesystem in Userspace) is a simple interface for userspace programs to
export a virtual filesystem to the Linux kernel. FUSE also aims to provide a
secure method for non privileged users to create and mount their own
filesystem implementations.
- FUSE
- The in-kernel filesystem that forwards requests to a
user-space process.
- filesystem
- The user-space process that responds to requests received
from the kernel.
- libfuse
- The shared library that most (user-space) filesystems use
to communicate with FUSE (the kernel filesystem). libfuse also provides
the fusermount3 (or fusermount if you have older version of
libfuse) helper to allow non-privileged users to mount filesystems.
- filesystem owner
- The user that starts the filesystem and instructs the
kernel to associate it with a particular mountpoint. The latter is
typically done by the filesystem itself on start-up. When using libfuse,
this is done by calling the fusermount3 utility.
- client
- Any process that interacts with the mountpoint.
Some options regarding mount policy can be set in the file
/etc/fuse.conf. Currently these options are:
- mount_max = NNN
- Set the maximum number of FUSE mounts allowed to non-root
users. The default is 1000.
- user_allow_other
- Allow non-root users to specify the allow_other or
allow_root mount options (see below).
- These limits are enforced by the fusermount3 helper,
so they can be avoided by filesystems that run as root.
Most of the generic mount options described in
mount are supported (
ro,
rw,
suid,
nosuid,
dev,
nodev,
exec,
noexec,
atime,
noatime,
sync,
async,
dirsync). Filesystems are mounted with
nodev,nosuid by default, which can only be overridden by a privileged
user.
These are FUSE specific mount options that can be specified for all filesystems:
- default_permissions
- This option instructs the kernel to perform its own
permission check instead of deferring all permission checking to the
filesystem. The check by the kernel is done in addition to any permission
checks by the filesystem, and both have to succeed for an operation to be
allowed. The kernel performs a standard UNIX permission check (based on
mode bits and ownership of the directory entry, and uid/gid of the
client).
This mount option is activated implicitly if the filesystem enables ACL
support during the initial feature negotiation when opening the device fd.
In this case, the kernel performs both ACL and standard unix permission
checking.
Filesystems that do not implement any permission checking should generally
add this option internally.
- allow_other
- This option overrides the security measure restricting file
access to the filesystem owner, so that all users (including root) can
access the files.
- rootmode=M
- Specifies the file mode of the filesystem's root (in octal
representation).
- blkdev
- Mount a filesystem backed by a block device. This is a
privileged option. The device must be specified with the
fsname=NAME option.
- blksize=N
- Set the block size for the filesystem. This option is only
valid for 'fuseblk' type mounts. The default is 512.
In most cases, this option should not be specified by the filesystem owner
but set internally by the filesystem.
- max_read=N
- With this option the maximum size of read operations can be
set. The default is infinite, but typically the kernel enforces its own
limit in addition to this one. A value of zero corresponds to no limit.
This option should not be specified by the filesystem owner. The correct (or
optimum) value depends on the filesystem implementation and should thus be
set by the filesystem internally.
This mount option is deprecated in favor of direct negotiation over the
device fd (as done for e.g. the maximum size of write operations). For the
time being, libfuse-using filesystems that want to limit the read size
must therefore use this mount option and set the same value again
in the init() handler.
- fd=N
- The file descriptor to use for communication between the
userspace filesystem and the kernel. The file descriptor must have been
obtained by opening the FUSE device (/dev/fuse).
This option should not be specified by the filesystem owner. It is set by
libfuse (or, if libfuse is not used, must be set by the filesystem
itself).
- user_id=N
-
group_id=N Specifies the numeric uid/gid of the
mount owner.
This option should not be specified by the filesystem owner. It is set by
libfuse (or, if libfuse is not used, must be set by the filesystem
itself).
- fsname=NAME
- Sets the filesystem source (first field in
/etc/mtab). The default is the name of the filesystem process.
- subtype=TYPE
- Sets the filesystem type (third field in /etc/mtab).
The default is the name of the filesystem process. If the kernel supports
it, /etc/mtab and /proc/mounts will show the filesystem type
as fuse.TYPE
If the kernel doesn't support subtypes, the source field will be
TYPE#NAME, or if fsname option is not specified, just
TYPE.
These following options are not actually passed to the kernel but interpreted by
libfuse. They can be specified for all filesystems that use libfuse:
- allow_root
- This option is similar to allow_other but file
access is limited to the filesystem owner and root. This option and
allow_other are mutually exclusive.
- auto_unmount
- This option enables automatic release of the mountpoint if
filesystem terminates for any reason. Normally the filesystem is
responsible for releasing the mountpoint, which means that the mountpoint
becomes inaccessible if the filesystem terminates without first
unmounting.
At the moment, this option implies that the filesystem will also be mounted
with nodev and nosuid (even when mounted by root). This
restriction may be lifted in the future.
These following options are not actually passed to the kernel but interpreted by
libfuse. They can only be specified for filesystems that use the high-level
libfuse API:
- kernel_cache
- This option disables flushing the cache of the file
contents on every open(2). This should only be enabled on
filesystems, where the file data is never changed externally (not through
the mounted FUSE filesystem). Thus it is not suitable for network
filesystems and other "intermediate" filesystems.
NOTE: if this option is not specified (and neither direct_io)
data is still cached after the open(2), so a read(2) system
call will not always initiate a read operation.
- auto_cache
- This option is an alternative to kernel_cache.
Instead of unconditionally keeping cached data, the cached data is
invalidated on open(2) if the modification time or the size of the
file has changed since it was last opened.
- umask=M
- Override the permission bits in st_mode set by the
filesystem. The resulting permission bits are the ones missing from the
given umask value. The value is given in octal representation.
- uid=N
- Override the st_uid field set by the filesystem (N
is numeric).
- gid=N
- Override the st_gid field set by the filesystem (N
is numeric).
- entry_timeout=T
- The timeout in seconds for which name lookups will be
cached. The default is 1.0 second. For all the timeout options, it is
possible to give fractions of a second as well (e.g.
entry_timeout=2.8)
- negative_timeout=T
- The timeout in seconds for which a negative lookup will be
cached. This means, that if file did not exist (lookup returned
ENOENT), the lookup will only be redone after the timeout, and the
file/directory will be assumed to not exist until then. The default is 0.0
second, meaning that caching negative lookups are disabled.
- attr_timeout=T
- The timeout in seconds for which file/directory attributes
are cached. The default is 1.0 second.
- ac_attr_timeout=T
- The timeout in seconds for which file attributes are cached
for the purpose of checking if auto_cache should flush the file
data on open. The default is the value of attr_timeout
- noforget
- remember=T
- Normally, libfuse assigns inodes to paths only for as long
as the kernel is aware of them. With this option inodes are instead
assigned for at least T seconds (or, in the case of
noforget, the life-time of the filesystem). This will require more
memory, but may be necessary when using applications that make use of
inode numbers.
- modules=M1[:M2...]
- Add modules to the filesystem stack. Modules are pushed in
the order they are specified, with the original filesystem being on the
bottom of the stack.
These options are interpreted by
mount.fuse3 and are thus only available
when mounting a file system via
mount.fuse3 (such as when mounting via
the generic
mount(1) command or
/etc/fstab). Supported options
are:
- setuid=USER
- Switch to USER and its primary group before
launching the FUSE file system process. mount.fuse3 must be run as root or
with CAP_SETUID and CAP_SETGID for this to work.
- drop_privileges
- Perform setup of the FUSE file descriptor and mounting the
file system before launching the FUSE file system process.
mount.fuse3 requires privilege to do so, i.e. must be run as root
or at least with CAP_SYS_ADMIN and CAP_SETPCAP. It will
launch the file system process fully unprivileged, i.e. without
capabilities(7) and prctl(2) flags set up such that
privileges can't be reacquired (e.g. via setuid or fscaps binaries). This
reduces risk in the event of the FUSE file system process getting
compromised by malicious file system data.
Modules are filesystem stacking support to high level API. Filesystem modules
can be built into libfuse or loaded from shared object
Perform file name character set conversion. Options are:
- from_code=CHARSET
- Character set to convert from (see iconv -l for a
list of possible values). Default is UTF-8.
- to_code=CHARSET
- Character set to convert to. Default is determined by the
current locale.
Prepend a given directory to each path. Options are:
- subdir=DIR
- Directory to prepend to all paths. This option is
mandatory.
- rellinks
- Transform absolute symlinks into relative
- norellinks
- Do not transform absolute symlinks into relative. This is
the default.
The fusermount3 program is installed set-user-gid to fuse. This is done to allow
users from fuse group to mount their own filesystem implementations. There
must however be some limitations, in order to prevent Bad User from doing
nasty things. Currently those limitations are:
- 1.
- The user can only mount on a mountpoint, for which it has
write permission
- 2.
- The mountpoint is not a sticky directory which isn't owned
by the user (like /tmp usually is)
- 3.
- No other user (including root) can access the contents of
the mounted filesystem.
FUSE filesystems are unmounted using the
fusermount3(1) command
(
fusermount3 -u mountpoint).
FUSE is currently maintained by Nikolaus Rath <
[email protected]>
The original author of FUSE is Miklos Szeredi <
[email protected]>.
This man page was originally written by Bastien Roucaries
<
[email protected]> for the Debian GNU/Linux
distribution.
fusermount3(1) fusermount(1) fuse(4)