You've hit this wall: a directory owned by UID 1000 that needs to look like UID 33 (www-data) for a web server, or backup files from an NFS share where the UIDs don't match, or a read-only mount you need to pretend is writable for a chroot test. The kernel's mount --bind can't help — it shows the exact same inodes with the exact same permissions. The classic answer was chown -R, which is destructive and only works if you have root and the source filesystem cooperates.

bindfs is a FUSE filesystem that mirrors a directory while rewriting ownership, permissions, and even whole UID maps on the fly. Source files aren't touched. It's been in Debian since 2006 and remains one of the most useful tools nobody installed.

The basic invocation looks like a fancy bind mount:

bindfs /home/shaun/site /var/www/site

Now the interesting flags. Force everything to appear as www-data so nginx is happy:

bindfs --force-user=www-data --force-group=www-data \
       --perms=u=rwX:g=rX:o= \
       /home/shaun/site /var/www/site

Your files on disk remain owned by you. The web server sees what it needs. Edit a file in your editor, no chown dance afterwards.

UID remapping for NFS misery — local user 1000 should appear as 2000 in the mirror, and vice versa:

bindfs --map=1000/2000:@1000/@2000 /nfs/raw /nfs/mapped

The @ prefix means group, the colon separates entries, and the mapping is bidirectional so writes round-trip correctly.

A genuinely clever pattern — show each user only their own files in a shared tree:

bindfs --mirror-only=alice,bob,carol /srv/shared /srv/view
# Anyone not in the list gets EACCES, even root by default

Need a read-only view of a writable tree without remounting the underlying filesystem?

bindfs -r /etc /tmp/etc-snapshot
# Scripts can poke around with zero risk of accidental writes

Combine with overlayfs and you have a poor man's container. The reverse trick — making a read-only source appear writable (writes silently dropped, the calling process sees success) — is invaluable for testing software that demands write access it doesn't actually need.

Why this beats the alternatives:

• mount --bind: no permission translation, period.
• chown -R: destructive, requires root on the source, breaks on read-only or shared filesystems.
• POSIX ACLs: per-file, hard to manage in bulk, not portable to FAT/NFSv3/SMB.
• idmapped mounts: powerful but needs kernel 5.12+, mount namespaces, and root.
• NFS all_squash: server-side, affects every client, can't be selective.

One caveat: it's FUSE, so there's syscall overhead — don't put it under a database hot path. For everything else (config dirs, web roots, backup staging, chroot prep, dev environments where UIDs don't match production), it's nearly invisible. Unmount with fusermount -u /mountpoint when done, or pass -o nonempty to layer it over a mountpoint that already has files. Add --no-allow-other for a private mount only your UID can see, which is the right default for anything sensitive.