Configure FUSE for non-root user access (#1849)

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

Author: mishushakov

packages/orchestrator/pkg/template/build/phases/base/provision.sh

@@ -38,6 +38,11 @@ else
     echo "All required packages are already installed."
 fi
 
+# Set /dev/fuse permissions to 666 for non-root access
+# Use systemd-tmpfiles to set permissions at boot
+mkdir -p /etc/tmpfiles.d
+echo 'z /dev/fuse 0666 root root -' > /etc/tmpfiles.d/fuse.conf
+
 echo "Setting up shell"
 echo "export SHELL='/bin/bash'" >/etc/profile.d/shell.sh
 echo "export PS1='\w \$ '" >/etc/profile.d/prompt.sh

tests/integration/internal/tests/api/sandboxes/sandbox_fuse_test.go

@@ -0,0 +1,51 @@
+package sandboxes
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/e2b-dev/infra/tests/integration/internal/setup"
+	"github.com/e2b-dev/infra/tests/integration/internal/utils"
+)
+
+func TestFuseDevicePermissions(t *testing.T) {
+	t.Parallel()
+	ctx := t.Context()
+
+	client := setup.GetAPIClient()
+	sbx := utils.SetupSandboxWithCleanup(t, client)
+
+	envdClient := setup.GetEnvdClient(t, ctx)
+
+	// Log detailed /dev/fuse info for debugging
+	lsOutput, _ := utils.ExecCommandAsRootWithOutput(t, ctx, sbx, envdClient, "ls", "-la", "/dev/fuse")
+	t.Logf("/dev/fuse listing: %s", strings.TrimSpace(lsOutput))
+
+	// Check /dev/fuse permissions - should be 0666 (crw-rw-rw-)
+	output, err := utils.ExecCommandAsRootWithOutput(t, ctx, sbx, envdClient, "stat", "-c", "%a", "/dev/fuse")
+	require.NoError(t, err, "Failed to stat /dev/fuse")
+	t.Logf("/dev/fuse permissions: %s", strings.TrimSpace(output))
+	assert.Equal(t, "666", strings.TrimSpace(output), "Expected /dev/fuse to have permissions 666")
+}
+
+func TestFuseNonRootAccess(t *testing.T) {
+	t.Parallel()
+	ctx := t.Context()
+
+	client := setup.GetAPIClient()
+	sbx := utils.SetupSandboxWithCleanup(t, client)
+
+	envdClient := setup.GetEnvdClient(t, ctx)
+
+	// Test that non-root user can open /dev/fuse for reading
+	// This verifies the device permissions are set correctly
+	err := utils.ExecCommand(t, ctx, sbx, envdClient, "test", "-r", "/dev/fuse")
+	require.NoError(t, err, "Non-root user should be able to read /dev/fuse")
+
+	// Test that non-root user can open /dev/fuse for writing
+	err = utils.ExecCommand(t, ctx, sbx, envdClient, "test", "-w", "/dev/fuse")
+	require.NoError(t, err, "Non-root user should be able to write to /dev/fuse")
+}

tests/integration/internal/tests/api/templates/build_template_test.go

@@ -1157,3 +1157,31 @@ func TestTemplateBuildCOPY(t *testing.T) {
 		},
 	))
 }
+
+func TestTemplateBuildFuseConfiguration(t *testing.T) {
+	t.Parallel()
+
+	// Test that FUSE is configured to allow non-root users:
+	// - /etc/tmpfiles.d/fuse.conf sets /dev/fuse permissions at boot
+	// - /dev/fuse has actual permissions 666
+	buildConfig := api.TemplateBuildStartV2{
+		Force:     utils.ToPtr(ForceBaseBuild),
+		FromImage: utils.ToPtr("ubuntu:22.04"),
+		Steps: utils.ToPtr([]api.TemplateStep{
+			{
+				Type: "RUN",
+				Args: utils.ToPtr([]string{
+					"grep -q 'z /dev/fuse 0666 root root -' /etc/tmpfiles.d/fuse.conf",
+				}),
+			},
+			{
+				Type: "RUN",
+				Args: utils.ToPtr([]string{
+					"echo \"Checking /dev/fuse permissions:\"; ls -la /dev/fuse; stat -c 'mode=%a owner=%U group=%G' /dev/fuse; test $(stat -c %a /dev/fuse) = '666'",
+				}),
+			},
+		}),
+	}
+
+	assert.True(t, buildTemplate(t, "test-ubuntu-fuse-config", buildConfig, defaultBuildLogHandler(t)))
+}