LXC write access denied in encfs-mounted folder
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
encfs (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Host system mounts an encrypted directory with the '--public' flag under the root shell to the /folder mountpoint.
Then an unprivileged LXC container bind mounts the folder using the 'mount.entry' option.
LXC container runs with uid/gid mapping so that root user inside the container has uid=100000/
The mountpoint /folder permissions are set (on the host) like so:
chown 100000:100033 /folder
chmod 0770 /folder
Inside the container the local root user has write permissions and can create any object.
The www-data user inside LXC seems also to have write access but unexpectedly has issues:
cd /folder => OK
test -w /folder && echo OK => OK
touch /folder/file => Access denied
The same configuration except when the /folder is not a encfs-mount works perfectly.
Some other weird issues exist when the LXC local user is a member of several groups but the folder is not the main gid of the user but one of the supplemental groups. For instance, "touch" and "mkdir" work but "ln -s" does not.
description: | updated |
description: | updated |