Hello @Sumo @rawtaz and @cdhowie ,
Here’s a possible solution, but I’m not sure it’s the best way to approach this. Please let me know what you think.
The important thing to know about fuse mounts is that by default they are only accessible to the user that started the mount. In restic, the main way to work around this is the
--allow-other flag for
restic mount. However, by default this will allow all users to access the mount.
A better approach might be something like:
sudo pw groupadd restic_mnt # Create a group. This group will be given access to the mount.
sudo pw groupmod restic_mnt -M my_user # Add the Primary user to the group. Replace "my_user" with the main user you want to mount as.
sudo pw groupmod restic_mnt -m second_user # You can add an additional user like this. Just replace "second_user". Whatever user you're using WinSCP with will need to be added here.
sudo install -d -g restic_mnt -o root -m 0750 /mnt/restic_mnt
sudo install -d -g restic_mnt -o mount_user -m 0770 /mnt/restic_mnt/restic_mount # Replace "mount_user" with the user you'll be mounting as. This user should be part of the "restic_mnt" group.
# Then you can mount with something like this:
restic mount --allow-other /mnt/restic_mnt/restic_mount
Creating two levels of directories seems to be crucial here, because it will prevent access by any user. Even if the directory you’re mounting to itself doesn’t allow other users, once
--allow-other is used it will allow anyone to see it. So you need a parent directory to be marked non-readable and non-executable by everyone but a certain group. In this case, I suggest making a group, creating a directory owned by root, but only readable/executable by that group, then creating a sub-directory owned only by the user you want to mount as, but with read and executable permissions for that same group again. When you mount to that sub-directory as that user, as I understand it, standard Unix permissions would prevent access to that mount, except by that group, and possibly root.
Maybe I misunderstood your question though, in which case I apologize.
Does this make sense to you @rawtaz and @cdhowie ? I’m trying to do it in a way that maintains some user security while providing the requested functionality.