Is there an obvious reason why I'm having trouble monitoring kbfs with incrond?

[DiagonalArg]

Has anyone tried to monitor kbfs with incrond? My unison command works, but when I tried this in incrontab:

/run/user/1000/keybase/kbfs/ IN_ALL_EVENTS flock -n /tmp/synclock unison -batch keybase

with the syslog result:

Nov 24 03:53:05 ThinkPad incrond[5820]: access denied on /run/user/1000/keybase/kbfs/ - events will be discarded silently
Nov 24 03:53:05 ThinkPad incrond[5820]: cannot create watch for user me: (13) Permission denied

incrond is running as root and "unconfined", which I presume relates to selinux (?)

$ ps -eo euser,ruser,suser,fuser,f,comm,label | grep incron
root     root     root     root     5 incrond         unconfined

Is there some reason kbfs is blocking this?

[strib]

root doesn't have access to kbfs to prevent OS processes from indexing your files. Also, it requires communication with a keybase daemon running as a user, and root wouldn't know which one to communicate with if multiple users are running keybase.

[DiagonalArg]

@strib - confusing to me that /run/.../kbfs reports ownership as me:root. Presumable root is part of the root group - but then, perhaps there's something about linux permissions that I don't understand (?)

You don't off-hand know how to run incond as my user, do you? I'm on ubuntu, which is now systemd.

[strib]

The reported permissions aren't the issue -- the OS is policing access at the mount level, and we're not mounting with the FUSE option of allow_root.

I know nothing about incond, sorry.

[DiagonalArg]

I see. I gather that option is in /etc/fuse.conf. Since there's only one user on this machine and I'm not concerned about indexing (though there's probably some other way to turn that off), are there any implications of my adding allow_root?

Edit: Well, I tried doing that, with no effect. I do see the function AllowRoot() in the kbfs code. Is there some way to switch this on?

[strib]

You have to have it both in fuse.conf and the code has to pass in the option when mounting. We don't currently have a way to turn that on without editing and recompiling the code.

[DiagonalArg]

Ok, I don't know whether incron would run under my own username and still be able to monitor activity - I'll try and give a report here. The only other option I can see is to use cron, and sync perhaps every 60 seconds. I might suggest you all consider passing through this option if it's been added to fuse's .conf. Waiting to respond to filesystem events would certainly be more efficient than repeatedly running rsync.

[DiagonalArg]

Well, such approaches as inotify and incron need root to monitor the FS. Since kbfs isn't allowing root access, the only approach I can see, as suggested by someone on chat, is to run keybase as root. There have been some glitches with that, but I'll keep hammering at it.

[DiagonalArg]

That's not going to work either. While something like inotify/incron on the user level is possible, the FUSE developers have labeled it a "won't fix".