LXC write access denied in encfs-mounted folder

Bug #1662880 reported by Luke
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
encfs (Ubuntu)
New
Undecided
Unassigned

Bug Description

Host system mounts an encrypted directory with the '--public' flag under the root shell to the /folder mountpoint.
Then an unprivileged LXC container bind mounts the folder using the 'mount.entry' option.
LXC container runs with uid/gid mapping so that root user inside the container has uid=100000/gid=100000 and respectively, the www-data user inside LXC has uid=1000333/gid=1000333.
The mountpoint /folder permissions are set (on the host) like so:

chown 100000:100033 /folder
chmod 0770 /folder

Inside the container the local root user has write permissions and can create any object.
The www-data user inside LXC seems also to have write access but unexpectedly has issues:

cd /folder => OK
test -w /folder && echo OK => OK
touch /folder/file => Access denied

The same configuration except when the /folder is not a encfs-mount works perfectly.

Some other weird issues exist when the LXC local user is a member of several groups but the folder is not the main gid of the user but one of the supplemental groups. For instance, "touch" and "mkdir" work but "ln -s" does not.

description: updated
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.