Public bug reported:
Host system mounts an encrypted directory with the '--public' flag under the
root shell to the /folder mountpoint.
Then an unprivileged LXC container bind mounts the folder using the
'mount.entry' option.
LXC container runs with uid/gid mapping so that root user inside the container
has uid=100000/gid=100000 and respectively, the www-data user inside LXC has
uid=1000333/gid=1000333.
The mountpoint /folder permissions are set (on the host) like so:
chown 100000:100033 /folder
chmod 0770 /folder
Inside the container the local root user has write permissions and can create
any object.
The www-data user inside LXC seems also to have write access but unexpectedly
has issues:
cd /folder => OK
test -w /folder && echo OK => OK
touch /folder/file => Access denied
The same configuration except when the /folder is not a encfs-mount
works perfectly.
Some other weird issues exist when the LXC local user is a member of
several groups but the folder is not the main gid of the user but one of
the supplemental groups. For instance, "touch" and "mkdir" work but "ln
-s" does not.
** Affects: encfs (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
- Host system mounts an encrypted directory with the '--public' under the root
shell to the /folder mountpoint.
- Then an unprivileged LXC container bind mounts the folder using the
'mount.entry' option.
+ Host system mounts an encrypted directory with the '--public' flag under the
root shell to the /folder mountpoint.
+ Then an unprivileged LXC container bind mounts the folder using the
'mount.entry' option.
LXC container runs with uid/gid mapping so that root user inside the
container has uid=100000/gid=100000 and respectively, the www-data user inside
LXC has uid=1000333/gid=1000333.
The mountpoint /folder permissions are set (on the host) like so:
chown 100000:100033 /folder
chmod 0770 /folder
Inside the container the local root user has write permissions and can create
any object.
The www-data user inside LXC seems also to have write access but unexpectedly
has issues:
cd /folder => OK
test -w /folder && echo OK => OK
touch /folder/file => Access denied
The same configuration except when the /folder is not a encfs-mount
works perfectly.
Some other weird issues exist when the LXC local user is a member of
several groups but the folder is not the main gid of the user. For
instance, "touch" and "mkdir" work but "ln -s" does not.
** Description changed:
Host system mounts an encrypted directory with the '--public' flag under the
root shell to the /folder mountpoint.
Then an unprivileged LXC container bind mounts the folder using the
'mount.entry' option.
LXC container runs with uid/gid mapping so that root user inside the
container has uid=100000/gid=100000 and respectively, the www-data user inside
LXC has uid=1000333/gid=1000333.
The mountpoint /folder permissions are set (on the host) like so:
chown 100000:100033 /folder
chmod 0770 /folder
Inside the container the local root user has write permissions and can create
any object.
The www-data user inside LXC seems also to have write access but unexpectedly
has issues:
cd /folder => OK
test -w /folder && echo OK => OK
touch /folder/file => Access denied
The same configuration except when the /folder is not a encfs-mount
works perfectly.
Some other weird issues exist when the LXC local user is a member of
- several groups but the folder is not the main gid of the user. For
- instance, "touch" and "mkdir" work but "ln -s" does not.
+ several groups but the folder is not the main gid of the user but one of
+ the supplemental groups. For instance, "touch" and "mkdir" work but "ln
+ -s" does not.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1662880
Title:
LXC write access denied in encfs-mounted folder
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/encfs/+bug/1662880/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
