~/fuse-rights-proxy.rb.html

#!/usr/bin/ruby

# Purpose:
# Allows to remap specified fs-tree to different place and let it
# be accessed & modified by specified user (uid)
#
# Example:
# Extremely handy to let others modify cgroup filesystem which can't
# be mounted under different uid...
#
# cd /dev
# mkdir cgroup cgroup.wfw
# mount cgroup cgroup -t cgroup -o devices
# ./fuse-rights-proxy.rb
# (elsewhere:) setuidgid wejn sh -c 'echo $$ > /dev/cgroup.wfw/tasks'
#
# Author: Wejn (wejn at box dot cz)
# License: MIT

require 'fusefs'

class FUSERightsProxy
    # constructor {{{
    def initialize(target, uid)
        unless FileTest.directory?(target)
            raise ArgumentError, "target: #{target} doesn't exist"
        end

        if uid.to_i.zero?
            raise ArgumentError, "uid should be non-root"
        end

        @target, @uid = target, uid.to_i
    end
    # }}}

    # dirlist {{{

    def contents(path)
        out = nil
        Dir.chdir(File.join(@target, path)) do
            out = Dir['*']
        end
        out
    end

    # }}}

    # tests {{{

    def directory?(path)
        FileTest.directory?(File.join(@target, path))
    end

    def file?(path)
        FileTest.file?(File.join(@target, path))
    end

    # }}}

    # file read {{{

    def read_file(path)
        File.open(File.join(@target, path)).read
    rescue Object
        nil
    end

    # }}}

    # file write {{{

    def can_write?(path)
        (FuseFS.uid.zero? || FuseFS.uid == @uid) && !directory?(path)
    end

    def write_to(path, str)
        File.open(File.join(@target, path), 'w') { |f| f.write(str) }
        true
    rescue Object
        nil
    end

    # }}}

    # file deletion {{{

    def can_delete?(path)
        # also needed for open(path, 'w')
        (FuseFS.uid.zero? || FuseFS.uid == @uid) && file?(path)
    end

    def delete(path)
        file?(path) && File.unlink(File.join(@target, path))
    rescue Object
        nil
    end

    # }}}

    # dir manipulation {{{

    def can_mkdir?(path)
        (FuseFS.uid.zero? || FuseFS.uid == @uid) && !directory?(path) && !file?(path)
    end

    def mkdir(path)
        Dir.mkdir(File.join(@target, path))
        true
    rescue Object
        nil
    end

    def can_rmdir?(path)
        (FuseFS.uid.zero? || FuseFS.uid == @uid) && directory?(path)
    end

    def rmdir(path)
        Dir.rmdir(File.join(@target, path))
        true
    rescue Object
        nil
    end

    # }}}
end

if __FILE__ == $0
    target = '/dev/cgroup'
    mpoint = '/dev/cgroup.wfw'
    uid = 1000

    unless FileTest.directory?(mpoint)
        STDERR.puts "mount point: #{mpoint} doesn't exist"
        exit 1
    end

    unless Process.uid.zero?
        STDERR.puts "must be run as root"
        exit 1
    end

    if File.open('/proc/filesystems').grep(/\sfuse/).empty?
        STDERR.puts "/proc/filesystems indicates lack of FUSE support;" +
            " modprobe it perhaps?"
        exit 1
    end

    unless File.open('/proc/mounts').grep(Regexp.new(mpoint)).empty?
        STDERR.puts "/proc/mounts indicates #{mpoint} is already mounted"
        exit 1
    end

    d = FUSERightsProxy.new(target, uid)
    FuseFS.set_root(d)
    FuseFS.mount_to(mpoint, "allow_other")
    begin
        FuseFS.run
    rescue Interrupt
    end
end