1BINDFS(1) General Commands Manual BINDFS(1)
2
3
4
6 bindfs ‐ mount --bind in user-space
7
8
9
11 bindfs [options] dir mountpoint
12
13
14
16 A FUSE filesystem for mirroring the contents of a directory to another
17 directory. Additionally, one can change the permissions of files in the
18 mirrored directory.
19
20
21
23 -u, --force-user, -o force-user=...
24 Makes all files owned by the specified user. Also causes chown
25 on the mounted filesystem to always fail.
26
27
28 -g, --force-group=group, -o force-group=...
29 Makes all files owned by the specified group. Also causes chgrp
30 on the mounted filesystem to always fail.
31
32
33 -p, --perms=permissions, -o perms=...
34 Takes a comma- or colon-separated list of chmod-like permission
35 specifications to be applied to the permission bits in order.
36 See PERMISSION SPECIFICATION below for details.
37
38 This only affects how the permission bits of existing files are
39 altered when shown in the mounted directory. You can use --cre‐
40 ate-with-perms to change the permissions that newly created
41 files get in the source directory.
42
43 Note that, as usual, the root user isn't bound by the permis‐
44 sions set here. You can get a truly read-only mount by using
45 -r.
46
47
48 -m, --mirror=user1:user2:..., -o mirror=...
49 Takes a comma- or colon-separated list of users who will see
50 themselves as the owners of all files. Users who are not listed
51 here will still be able to access the mount if the permissions
52 otherwise allow them to.
53
54 You can also give a group name prefixed with an '@' to mirror
55 all members of a group. This will not change which group the
56 files are shown to have.
57
58
59 -M, --mirror-only=user1:user2:..., -o mirror-only=...
60 Like --mirror but disallows access for all other users (except
61 root).
62
63
64 --map=user1/user2:@group1/@group2:..., -o map=...
65 Given a mapping user1/user2, all files owned by user1 are shown
66 as owned by user2. When user2 creates files, they are chowned to
67 user1 in the underlying directory. When files are chowned to
68 user2, they are chowned to user1 in the underlying directory.
69 Works similarly for groups.
70
71 A single user or group may appear no more than once on the left
72 and once on the right of a slash in the list of mappings. Cur‐
73 rently, the options --force-user, --force-group, --mirror,
74 --create-for-*, --chown-* and --chgrp-* override the correspond‐
75 ing behavior of this option.
76
77 Requires mounting as root.
78
79
80 --uid-offset=..., -o uid-offset=...
81 Works like --map, but adds the given number to all file owner
82 user IDs. For instance, --uid-offset=100000 causes a file owned
83 by user 123 to be shown as owned by user 100123.
84
85 For now, this option cannot be used together with --map. Please
86 file an issue with the desired semantics if you have a case for
87 using them together.
88
89 Requires mounting as root.
90
91
92 --gid-offset=..., -o gid-offset=...
93 Works exactly like --uid-offset but for groups.
94
95
96
98 New files and directories are created so they are owned by the mounter.
99 bindfs can let this happen (the default for normal users), or it can
100 try to change the owner to the uid/gid of the process that wants to
101 create the file (the default for root). It is also possible to have
102 bindfs try to change the owner to a particular user or group.
103
104
105 --create-as-user, -o create-as-user
106 Tries to change the owner and group of new files and directories
107 to the uid and gid of the caller. This can work only if the
108 mounter is root. It is also the default behavior (mimicing
109 mount --bind) if the mounter is root.
110
111
112 --create-as-mounter, -o create-as-mounter
113 All new files and directories will be owned by the mounter.
114 This is the default behavior for non-root mounters.
115
116
117 --create-for-user=user, -o create-for-user=...
118 Tries to change the owner of new files and directories to the
119 user specified here. This can work only if the mounter is root.
120 This option overrides the --create-as-user and --cre‐
121 ate-as-mounter options.
122
123
124 --create-for-group=group, -o create-for-group=...
125 Tries to change the owning group of new files and directories to
126 the group specified here. This can work only if the mounter is
127 root. This option overrides the --create-as-user and --cre‐
128 ate-as-mounter options.
129
130
131 --create-with-perms=permissions, -o create-with-perms=...
132 Works like --perms but is applied to the permission bits of new
133 files get in the source directory. Normally the permissions of
134 new files depend on the creating process's preferences and
135 umask. This option can be used to modify those permissions or
136 override them completely. See PERMISSION SPECIFICATION below
137 for details.
138
139
140
142 The behaviour on chown/chgrp calls can be changed. By default they are
143 passed through to the source directory even if bindfs is set to show a
144 fake owner/group. A chown/chgrp call will only succeed if the user has
145 enough mirrored permissions to chmod the mirrored file AND the mounter
146 has enough permissions to chmod the real file.
147
148
149 --chown-normal, -o chown-normal
150 Tries to chown the underlying file. This is the default.
151
152
153 --chown-ignore, -o chown-ignore
154 Lets chown succeed (if the user has enough mirrored permissions)
155 but actually does nothing. A combined chown/chgrp is effectively
156 turned into a chgrp-only request.
157
158
159 --chown-deny, -o chown-deny
160 Makes chown always fail with a 'permission denied' error. A
161 combined chown/chgrp request will fail as well.
162
163
164 --chgrp-normal, -o chgrp-normal
165 Tries to chgrp the underlying file. This is the default.
166
167
168 --chgrp-ignore, -o chgrp-ignore
169 Lets chgrp succeed (if the user has enough mirrored permissions)
170 but actually does nothing. A combined chown/chgrp is effectively
171 turned into a chown-only request.
172
173
174 --chgrp-deny, -o chgrp-deny
175 Makes chgrp always fail with a 'permission denied' error. A
176 combined chown/chgrp request will fail as well.
177
178
179
181 Chmod calls are forwarded to the source directory by default. This may
182 cause unexpected behaviour if bindfs is altering permission bits.
183
184
185 --chmod-normal, -o chmod-normal
186 Tries to chmod the underlying file. This will succeed if the
187 user has the appropriate mirrored permissions to chmod the mir‐
188 rored file AND the mounter has enough permissions to chmod the
189 real file. This is the default (in order to behave like mount
190 --bind by default).
191
192
193 --chmod-ignore, -o chmod-ignore
194 Lets chmod succeed (if the user has enough mirrored permissions)
195 but actually does nothing.
196
197
198 --chmod-deny, -o chmod-deny
199 Makes chmod always fail with a 'permission denied' error.
200
201
202 --chmod-filter=permissions, -o chmod-filter=...
203 Changes the permission bits of a chmod request before it is
204 applied to the original file. Accepts the same permission syntax
205 as --perms. See PERMISSION SPECIFICATION below for details.
206
207
208 --chmod-allow-x, -o chmod-allow-x
209 Allows setting and clearing the executable attribute on files
210 (but not directories). When used with --chmod-ignore, chmods
211 will only affect execute bits on files and changes to other bits
212 are discarded. With --chmod-deny, all chmods that would change
213 any bits except excecute bits on files will still fail with a
214 'permission denied'. This option does nothing with --chmod-nor‐
215 mal.
216
217
218
220 Extended attributes are mirrored by default, though not all underlying
221 file systems support xattrs.
222
223
224 --xattr-none, -o xattr-none
225 Disable extended attributes altogether. All operations will
226 return 'Operation not supported'.
227
228
229 --xattr-ro, -o xattr-ro
230 Let extended attributes be read-only.
231
232
233 --xattr-rw, -o xattr-rw
234 Let extended attributes be read-write (the default). The
235 read/write permissions are checked against the (possibly modi‐
236 fied) file permissions inside the mount.
237
238
239
241 --delete-deny, -o delete-deny
242 Makes all file delete operations fail with a 'permission
243 denied'. By default, files can still be modified if they have
244 write permission, and renamed if the directory has write permis‐
245 sion.
246
247
248 --rename-deny, -o rename-deny
249 Makes all file rename/move operations within the mountpoint fail
250 with a 'permission denied'. Programs that move files out of a
251 mountpoint do so by copying and deleting the original.
252
253
255 Reads and writes through the mount point can be throttled. Throttling
256 works by sleeping the required amount of time on each read or write
257 request. Throttling imposes one global limit on all readers/writers as
258 opposed to a per-process or per-user limit.
259
260 Currently, the implementation is not entirely fair. See BUGS below.
261
262
263 --read-rate=N, -o read-rate=N
264 Allow at most N bytes per second to be read. N may have one of
265 the following (1024-based) suffixes: k, M, G, T.
266
267
268 --write-rate=N, -o write-rate=N
269 Same as above, but for writes.
270
271
273 --hide-hard-links, -o hide-hard-links
274 Shows the hard link count of all files as 1.
275
276
277 --resolve-symlinks, -o resolve-symlinks
278 Transparently resolves symbolic links. Disables creation of new
279 symbolic links.
280
281 With the following exceptions, operations will operate directly
282 on the target file instead of the symlink. Renaming/moving a
283 resolved symlink (inside the same mount point) will move the
284 symlink instead of the underlying file. Deleting a resolved sym‐
285 link will delete the underlying symlink but not the destination
286 file. This can be configured with --resolved-symlink-deletion.
287
288 Note that when some programs, such as vim, save files, they
289 actually move the old file out of the way, create a new file in
290 its place, and finally delete the old file. Doing these opera‐
291 tions on a resolved symlink will replace it with a regular file.
292
293 Symlinks pointing outside the source directory are supported
294 with the following exception: accessing the mountpoint recur‐
295 sively through a resolved symlink is not supported and will
296 return an error. This is because a FUSE filesystem cannot reli‐
297 ably call itself recursively without deadlocking, especially in
298 single-threaded mode.
299
300
301 --resolved-symlink-deletion=policy, -o resolved-symlink-deletion=policy
302 If --resolve-symlinks is enabled, decides what happens when a
303 resolved symlink is deleted. The options are: deny (resolved
304 symlinks cannot be deleted), symlink-only (the underlying sym‐
305 link is deleted, its target is not), symlink-first (the symlink
306 is deleted, and if that succeeds, the target is deleted but no
307 error is reported if that fails) or target-first (the target is
308 deleted first, and the symlink is deleted only if deleting the
309 target succeeded). The default is symlink-only.
310
311 Note that deleting files inside symlinked directories is always
312 possible with all settings, including deny, unless something
313 else protects those files.
314
315
316
318 -h, --help
319 Displays a help message and exits.
320
321
322 -V, --version
323 Displays version information and exits.
324
325 --fuse-version Displays the version of the FUSE library inter‐
326 face that was seen at compile-time, as well as the version that
327 bindfs currently runs with.
328
329
330 --no-allow-other, -o no-allow-other
331 Does not add -o allow_other to FUSE options. This causes the
332 mount to be accessible only by the current user.
333
334 (The deprecated shorthand -n is also still accepted.)
335
336
337 --realistic-permissions, -o realistic-permissions
338 Hides read/write/execute permissions for a mirrored file when
339 the mounter doesn't have read/write/execute access to the under‐
340 lying file. Useless when mounting as root, since root will
341 always have full access.
342
343 (Prior to version 1.10 this option was the default behavior. I
344 felt it violated the principle of least surprise badly enough to
345 warrant a small break in backwards-compatibility.)
346
347
348 --ctime-from-mtime, -o ctime-from-mtime
349 Recall that a unix file has three standard timestamps: atime
350 (last access i.e. read time), mtime (last content modification
351 time) ctime (last content or metadata (inode) change time)
352
353 With this option, the ctime of each file and directory is read
354 from its mtime. In other words, only content modifications (as
355 opposed to metadata changes) will be reflected in a mirrored
356 file's ctime. The underlying file's ctime will still be updated
357 normally.
358
359
360 --enable-lock-forwarding, -o enable-lock-forwarding
361 Forwards flock and fcntl locking requests to the source direc‐
362 tory. This way, locking a file in the bindfs mount will also
363 lock the file in the source directory.
364
365 This option must be used with --multithreaded because otherwise
366 bindfs will deadlock as soon as there is lock contention. How‐
367 ever, see BUGS below for caveats about --multithreaded with the
368 current implementation.
369
370
371 --disable-lock-forwarding, -o disable-lock-forwarding
372 Currently does nothing, but a future release may default to
373 enabling lock forwarding. If you depend on this behaviour, it's
374 recommended to set this flag explicitly.
375
376
377 --enable-ioctl, -o enable-ioctl
378 Enables forwarding of ioctl, which is needed for some advanced
379 features such as append-only files (chattr +a). Note that the
380 ioctl action will be performed as the mounter, not the calling
381 user. No efforts are made to check whether the calling user
382 would ordinarily have the permissions to make the ioctl. This
383 may be a security concern, especially when mounting as root.
384
385
386 --block-devices-as-files, -o block-devices-as-files
387 Shows block devices as regular files.
388
389
390 --multithreaded, -o multithreaded
391 Run bindfs in multithreaded mode. While bindfs is designed to be
392 otherwise thread-safe, there is currently a race condition that
393 may pose a security risk for some use cases. See BUGS below.
394
395
396 --forward-odirect=alignment, -o forward-odirect=alignment
397 Enable experimental O_DIRECT forwarding, with all read/write
398 requests rounded to the given alignment (in bytes). By default,
399 the O_DIRECT flag is not forwarded to the underlying FS. See
400 open(2) for details about O_DIRECT.
401
402 Only works on Linux. Ignored on other platforms.
403
404
406 -o options
407 Fuse options.
408
409
410 -r, -o ro
411 Make the mount strictly read-only. This even prevents root from
412 writing to it. If this is all you need, then (since Linux
413 2.6.26) you can get a more efficent mount with mount --bind and
414 then mount -o remount,ro.
415
416
417 -d, -o debug
418 Enable debug output (implies -f).
419
420
421 -f Foreground operation.
422
423
424
426 The -p option takes a comma- or colon-separated list of either octal
427 numeric permission bits or symbolic representations of permission bit
428 operations. The symbolic representation is based on that of the
429 chmod(1) command. setuid, setgid and sticky bits are ignored.
430
431 This program extends the chmod symbolic representation with the follow‐
432 ing operands:
433
434 `D' (right hand side)
435 Works like X but applies only to directories (not to executables).
436
437 `d' and `f' (left hand side)
438 Makes this directive only apply to directories (d) or files (f).
439 e.g. gd-w would remove the group write bit from all directories.
440
441 `u', `g', `o' (right hand side)
442 Uses the user (u), group (g) or others (o) permission bits of
443 the original file.
444 e.g. g=u would copy the user's permission bits to the group.
445 ug+o would add the others' permissions to the owner and group.
446
447
448 Examples
449
450 o-rwx Removes all permission bits from others.
451
452
453 g=rD Allows group to read all files and enter all directories, but
454 nothing else.
455
456
457 0644,a+X
458 Sets permission bits to 0644 and adds the execute bit for every‐
459 one to all directories and executables.
460
461
462 og-x:og+rD:u=rwX:g+rw
463 Removes execute bit for others and group, adds read and direc‐
464 tory execute for others and group, sets user permissions to
465 read, write and execute directory/executable, adds read and
466 write for group.
467
468
469
471
472
473 bindfs -u www -g nogroup -p 0000,u=rD ~/mywebsite ~/public_html/mysite
474
475 Publishes a website in public_html so that only the 'www' user
476 can read the site.
477
478
479 bindfs -M foo,bar,1007,@mygroup -p 0600,u+X dir mnt
480
481 Gives access to 'foo', 'bar', the user with the UID 1007 as well
482 as everyone in the group 'mygroup'. Sets the permission bits to
483 0600, thus giving the specified users read/write access, and
484 adds the user execute bit for directories and executables.
485
486
487 bindfs -ono-allow-other,perms=a-w somedir somedir
488
489 Makes a directory read-only and accessable only by the current
490 user.
491
492
493 /home/bob/shared /var/www/shared/bob fuse.bindfs perms=0000:u+rD 0 0
494
495 An example /etc/fstab entry. Note that the colon must be used to
496 separate arguments to perms, because the comma is an option sep‐
497 arator in /etc/fstab.
498
499
500 bindfs#/home/bob/shared /var/www/shared/bob fuse perms=0000:u+rD 0 0
501
502 Older systems may require this deprecated fstab syntax.
503
504
505
507 Setuid and setgid bits have no effect inside the mount. This is a nec‐
508 essary security feature of FUSE.
509
510 Access to device files is denied by default by FUSE as a security pre‐
511 caution. Use -o dev to enable access (requires mounting as root). This
512 may not be supported on all operating systems.
513
514 MacFuse caches file contents by default. This means that changes in
515 source files are not always immediately visible under the mount point.
516 -o nolocalcaches can be used to disable the cache.
517
518 When using --mirror[-only] @somegroup, bindfs won't see changes to the
519 group's member list. Sending bindfs a SIGUSR1 signal will make it
520 reread the user database.
521
522 The following extra options may be useful under osxfuse: -o
523 local,allow_other,extended_security,noappledouble See
524 https://github.com/osxfuse/osxfuse/wiki/Mount-options for details.
525
526
528 If bindfs is run in multithreaded mode (with the --multithreaded
529 option) then it's possible for another process to briefly see a file
530 with an incorrect owner, group or permissions. This may constitute a
531 security risk if you rely on bindfs to reduce permissions on new files.
532 For this reason, as of version 1.11 bindfs runs in single-threaded mode
533 by default.
534
535 Rate limiting favors the process with the larger block size. If two
536 processes compete for read/write access, the one whose read()/write()
537 calls specify the larger block size gets to read/write faster. The
538 total rate limit is maintained though, and clients with equal block
539 sizes and a similar rate of requests are treated fairly as long as the
540 kernel orders their requests fairly.
541
542 Some features relying on xattrs might not work properly on OS X
543 (https://github.com/mpartel/bindfs/issues/21). For instance, Finder
544 tags seem to work but comments might not.
545
546 Please report bugs and/or send pull requests to
547 https://github.com/mpartel/bindfs/issues.
548
549
550
552 The option names --user and --group were deprecated and replaced with
553 --force-user and --force-group in version 1.12. The former names
554 clashed with standard option names. They are still available but their
555 use is discouraged and prints a warning. The synonym --owner is also
556 deprecated for consistency.
557
558
559
561 Martin Pärtel <martin dot partel at gmail dot com>
562
563
564
566 chmod(1), fusermount(1), http://bindfs.org/
567
568
569
570
571 BINDFS(1)