1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
|
.\" Copyright (c) 1994
.\" The Regents of the University of California. All rights reserved.
.\"
.\" This code is derived from software donated to Berkeley by
.\" Jan-Simon Pendry.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 4. Neither the name of the University nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" @(#)mount_union.8 8.6 (Berkeley) 3/27/94
.\" $FreeBSD$
.\"
.Dd November 30, 2006
.Dt MOUNT_UNIONFS 8
.Os
.Sh NAME
.Nm mount_unionfs
.Nd mount union file systems
.Sh SYNOPSIS
.Nm
.Op Fl br
.Op Fl o Ar options
.Ar directory
.Ar uniondir
.Sh DESCRIPTION
The
.Nm
utility attaches
.Ar directory
above
.Ar uniondir
in such a way that the contents of both directory trees remain visible.
By default,
.Ar directory
becomes the
.Em upper
layer and
.Ar uniondir
becomes the
.Em lower
layer.
.Pp
The options are as follows:
.Bl -tag -width indent
.It Fl b
Deprecated. Use
.Fl o
.Ar below
instead.
.It Fl o
Options are specified with a
.Fl o
flag followed by an option.
The following options are available:
.Bl -tag -width indent
.It Cm below
Invert the default position, so that
.Ar directory
becomes the lower layer and
.Ar uniondir
becomes the upper layer.
However,
.Ar uniondir
remains the mount point.
.It Cm copymode=traditional | transparent | masquerade
Specifies the way to create a file or a directory in the upper layer
automatically when needed.
.Ar traditional
uses the same way as the old unionfs for backward compatibility, and
.Ar transparent
duplicates the file and directory mode bits and the ownership in the
lower layer to the created file in the upper layer.
For behavior of the
.Ar masquerade
mode, see
.Sx MASQUERADE MODE .
.It Cm udir=mode
Specifies directory mode bits in octal for
.Ar masquerade
mode.
.It Cm ufile=mode
Specifies file mode bits in octal for
.Ar masquerade
mode.
.It Cm gid=gid
Specifies group for
.Ar masquerade
mode.
.It Cm uid=uid
.uid
Specifies user for
.Ar masquerade
mode.
.El
.El
.Pp
To enforce file system security, the user mounting the file system
must be superuser or else have write permission on the mounted-on
directory.
In addition, the
.Va vfs.usermount
.Xr sysctl 8
variable must be set to 1 to permit file system mounting by ordinary users.
However, note that
.Ar transparent
and
.Ar masquerade
mode require
.Va vfs.usermount
be set to 0 because this functionality can only be used by superusers.
.Pp
Filenames are looked up in the upper layer and then in the
lower layer.
If a directory is found in the lower layer, and there is no entry
in the upper layer, then a
.Em shadow
directory will be created in the upper layer.
The ownership and the mode bits are set depending on the
.Ar copymode
option. In
.Ar traditional
mode, it will be owned by the user who originally did the
union mount, with mode 0777
.Dq rwxrwxrwx
modified by the umask in effect at that time.
.Pp
If a file exists in the upper layer then there is no way to access
a file with the same name in the lower layer.
If necessary, a combination of loopback and union mounts can be made
which will still allow the lower files to be accessed by a different
pathname.
.Pp
Except in the case of a directory,
access to an object is granted via the normal file system access checks.
For directories, the current user must have access to both the upper
and lower directories (should they both exist).
.Pp
Requests to create or modify objects in
.Ar uniondir
are passed to the upper layer with the exception of a few special cases.
An attempt to open for writing a file which exists in the lower layer
causes a copy of the
.Em entire
file to be made to the upper layer, and then for the upper layer copy
to be opened.
Similarly, an attempt to truncate a lower layer file to zero length
causes an empty file to be created in the upper layer.
Any other operation which would ultimately require modification to
the lower layer fails with
.Er EROFS .
.Pp
The union file system manipulates the namespace, rather than
individual file systems.
The union operation applies recursively down the directory tree
now rooted at
.Ar uniondir .
Thus any file systems which are mounted under
.Ar uniondir
will take part in the union operation.
This differs from the
.Em union
option to
.Xr mount 8
which only applies the union operation to the mount point itself,
and then only for lookups.
.Sh MASQUERADE MODE
When a file
.Pq or a directory
is created in the upper layer, the
.Ar masquerade
mode sets it the fixed access mode bits given in
.Ar ufile Pq for files
or
.Ar udir Pq for directories
option and the owner given in
.Ar udir
and
.Ar gid
options, instead of ones in the lower layer. Note that in the
.Ar masquerade
mode and when owner of the file or directory matches
one specified in
.Ar uid
option, only mode bits for the owner will be modified.
More specifically, the file mode bits in the upper layer will
be
.Pq mode in the lower layer
OR
.Pq Po mode given in .Ar ufile
AND 0700
.Pc , and the ownership will be the same as one in the lower layer.
.Pp
The default values for
.Ar ufile , udir , uid ,
and
.Ar gid
are as follow:
.Pp
.Bl -bullet -compact
.It
If both
.Ar ufile
and
.Ar udir
are not specified, access mode bits in the mount point will be used.
.It
If both
.Ar uid
and
.Ar gid
are not specified, ownership in the mount point will be used.
.It
If either
.Ar udir
or
.Ar ufile
is not specified, the other will be the same as the specified one.
.It
If either
.Ar uid
or
.Ar gid
is not specified, the other will be the same as the specified one.
.El
.Sh EXAMPLES
The commands
.Bd -literal -offset indent
mount -t cd9660 -o ro /dev/cd0 /usr/src
mount -t unionfs -o noatime /var/obj /usr/src
.Ed
.Pp
mount the CD-ROM drive
.Pa /dev/cd0
on
.Pa /usr/src
and then attaches
.Pa /var/obj
on top.
For most purposes the effect of this is to make the
source tree appear writable
even though it is stored on a CD-ROM. The
.Fl o Ar noatime
option is useful to avoid unnecessary copying from the lower to the
upper layer.
.Pp
The commands
.Bd -literal -offset indent
mount -t cd9660 -o ro /dev/cd0 /usr/src
chown 2020 /usr/src
mount -t unionfs -o noatime -o copymode=masquerade -o uid=builder \\
-o udir=755 -o ufile=644 /var/obj /usr/src
.Ed
.Pp
also mount the CD-ROM drive
.Pa /dev/cd0
on
.Pa /usr/src
and then attaches
.Pa /var/obj
on top. Furthermore, the owner of all files and directories in /usr/src
is a regular user with uid
.Pq 2020
when seen from the upper layer. Note that for the access mode bits,
ones in the lower layer
.Pq on the CD-ROM, in this example
are still used without change.
Thus, write privilege to the upper layer can be controlled
independently from access mode bits and ownership in the lower layer.
If a user does not have read privilege from the lower layer,
one cannot still read even when the upper layer is mounted by using
.Ar masquerade
mode.
.Pp
The command
.Bd -literal -offset indent
mount -t unionfs -o noatime -o below /sys $HOME/sys
.Ed
.Pp
attaches the system source tree below the
.Pa sys
directory in the user's home directory.
This allows individual users to make private changes
to the source, and build new kernels, without those
changes becoming visible to other users.
Note that the files in the lower layer remain
accessible via
.Pa /sys .
.Sh SEE ALSO
.Xr intro 2 ,
.Xr mount 2 ,
.Xr unmount 2 ,
.Xr fstab 5 ,
.Xr mount 8 ,
.Xr mount_nullfs 8
.Sh HISTORY
The
.Nm
utility first appeared in
.Bx 4.4 .
.Pp
The
.Fl r
option for hiding the lower layer completely was removed in
.Fx 7.0
because this is identical to using
.Xr mount_nullfs 8 .
.Sh AUTHORS
In
.Fx 7.0 ,
.An Masanori OZAWA Aq ozawa@ongs.co.jp
reimplemented handling of locking, whiteout, and file mode bits, and
.An Hiroki Sato Aq hrs@FreeBSD.org
wrote about the changes in this manual page.
.Sh BUGS
THIS FILE SYSTEM TYPE IS NOT YET FULLY SUPPORTED (READ: IT DOESN'T WORK)
AND USING IT MAY, IN FACT, DESTROY DATA ON YOUR SYSTEM.
USE AT YOUR
OWN RISK.
BEWARE OF DOG.
SLIPPERY WHEN WET.
.Pp
This code also needs an owner in order to be less dangerous - serious
hackers can apply by sending mail to
.Aq freebsd-fs@FreeBSD.org
and announcing
their intent to take it over.
.Pp
Without whiteout support from the file system backing the upper layer,
there is no way that delete and rename operations on lower layer
objects can be done.
.Er EROFS
is returned for this kind of operations along with any others
which would make modifications to the lower layer, such as
.Xr chmod 1 .
.Pp
Running
.Xr find 1
over a union tree has the side-effect of creating
a tree of shadow directories in the upper layer.
.Pp
The current implementation does not support copying extended attributes
for
.Xr acl 9 ,
.Xr mac 9 ,
or so on to the upper layer. Note that this may be a security issue.
.Pp
A shadow directory, which is one automatically created in the upper
layer when it exists in the lower layer and does not exist in the
upper layer, is always created with the superuser privilege.
However, a file copied from the lower layer in the same way
is created by the user who accessed it. Because of this,
if the user is not the superuser, even in
.Ar transparent
mode the access mode bits in the copied file in the upper layer
will not always be the same as ones in the lower layer.
This behavior should be fixed.
|
