For **user.mergerfs.srcmounts** there are several instructions available for manipulating the list. The value provided is just as the value used at mount time. A colon (':') delimited list of full path globs.
@ -230,16 +230,18 @@ For **user.mergerfs.srcmounts** there are several instructions available for man
| =[list] | set |
| [list] | set |
##### misc #####
Categories and funcs take a policy as described in the previous section. When reading funcs you'll get the policy string. However, with categories you'll get a coma separated list of policies for each type found. For example: if all search functions are `ff` except for `access` which is `ffwp` the value for `user.mergerfs.category.search` will be `ff,ffwp`.
#### mergerfs file xattrs ####
While they won't show up when using [listxattr](http://linux.die.net/man/2/listxattr) mergerfs offers a number of special xattrs to query information about the files served. To access the values you will need to issue a [getxattr](http://linux.die.net/man/2/getxattr) for one of the following:
* user.mergerfs.basepath: the base mount point for the file given the current search policy
* user.mergerfs.relpath: the relative path of the file from the perspective of the mount point
* user.mergerfs.fullpath: the full path of the original file given the search policy
* user.mergerfs.allpaths: a NUL ('\0') separated list of full paths to all files found
* **user.mergerfs.basepath:** the base mount point for the file given the current search policy
* **user.mergerfs.relpath:** the relative path of the file from the perspective of the mount point
* **user.mergerfs.fullpath:** the full path of the original file given the search policy
* **user.mergerfs.allpaths:** a NUL ('\0') separated list of full paths to all files found
```
[trapexit:/tmp/mount] $ ls
@ -259,12 +261,12 @@ A B C
* The recommended options are `defaults,allow_other`. The `allow_other` is to allow users who are not the one which executed mergerfs access to the mountpoint. `defaults` is described above and should offer the best performance. It's possible that if you're running on an older platform the `splice` features aren't available and could error. In that case simply use the other options manually.
* Remember that some policies mixed with some functions may result in strange behaviors. Not that some of these behaviors and race conditions couldn't happen outside [mergerfs](http://github.com/trapexit/mergerfs) but that they are far more likely to occur on account of attempt to merge together multiple sources of data which could be out of sync due to the different policies.
* An example: [Kodi](http://kodi.tv) can apparently use directory [mtime](http://linux.die.net/man/2/stat) to more determine whether or not to scan for new content rather than a full scan. If using the current default `getattr` policy of `ff` it's possible Kodi will miss an update on account of it returning the first directory found's `stat` info and its a later directory on another mount which had the `mtime` recently updated. To fix this you will want to set `func.getattr=newest`. Remember though that this is just `stat`. If the file is later `open`ed or `unlink`ed and the policy is different for those then a completely different file or directory could be acted on.
* An example: [Kodi](http://kodi.tv) can apparently use directory [mtime](http://linux.die.net/man/2/stat) to more efficiently determine whether or not to scan for new content rather than simply performing a full scan. If using the current default `getattr` policy of `ff` it's possible Kodi will miss an update on account of it returning the first directory found's `stat` info and its a later directory on another mount which had the `mtime` recently updated. To fix this you will want to set `func.getattr=newest`. Remember though that this is just `stat`. If the file is later `open`ed or `unlink`ed and the policy is different for those then a completely different file or directory could be acted on.
* Due to previously mentioned issues its generally best to set `category` wide policies rather than individual `func`s. This will help limit the confusion of tools such as [rsync](http://linux.die.net/man/1/rsync).
# FAQ
* It's mentioned that there are some security issues with `mhddfs`. What are they? How does `mergerfs` address them?
#### It's mentioned that there are some security issues with `mhddfs`. What are they? How does `mergerfs` address them?
[mhddfs](https://github.com/trapexit/mhddfs) trys to handle being run as `root` by calling [getuid()](https://github.com/trapexit/mhddfs/blob/cae96e6251dd91e2bdc24800b4a18a74044f6672/src/main.c#L319) and if it returns `0` then it will [chown](http://linux.die.net/man/1/chown) the file. Not only is that a race condition but it doesn't handle many other situtations. Rather than attempting to simulate POSIX ACL behaviors the proper behavior is to use [seteuid](http://linux.die.net/man/2/seteuid) and [setegid](http://linux.die.net/man/2/setegid), become the user making the original call and perform the action as them. This is how [mergerfs](https://github.com/trapexit/mergerfs) handles things.
@ -272,8 +274,10 @@ If you are familiar with POSIX standards you'll know that this behavior poses a
OSX has a [non-portable pthread extension](https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man2/pthread_setugid_np.2.html) for per-thread user and group impersonation. When building on OSX mergerfs will use this without any mutexes.
Linux does not support [pthread_setugid_cp](https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man2/pthread_setugid_np.2.html) but user and group IDs are a per-thread attribute though documention on that fact or how to manipulate them is not well distributed. From the `4.00` release of the Linux man-pages project for [setuid](http://man7.org/linux/man-pages/man2/setuid.2.html)
Linux does not support [pthread_setugid_np](https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man2/pthread_setugid_np.2.html) but user and group IDs are a per-thread attribute though documention on that fact or how to manipulate them is not well distributed. From the `4.00` release of the Linux man-pages project for [setuid](http://man7.org/linux/man-pages/man2/setuid.2.html)
> At the kernel level, user IDs and group IDs are a per-thread attribute. However, POSIX requires that all threads in a process share the same credentials. The NPTL threading implementation handles the POSIX requirements by providing wrapper functions for the various system calls that change process UIDs and GIDs. These wrapper functions (including the one for setuid()) employ a signal-based technique to ensure that when one thread changes credentials, all of the other threads in the process also change their credentials. For details, see nptl(7).
Turns out the setreuid syscalls apply only to the thread. GLIBC hides this away using RT signals and other tricks. Taking after Samba mergerfs uses `syscall(SYS_setreuid,...)` to set the callers credentials for that thread only. Jumping back to `root` as necessary should escalated privilages be needed (for instance: to clone paths).
Antonio SJ Musumeci
10 years ago