2017-02-08 12:50:15 |
Luke |
description |
Host system mounts an encrypted directory with the '--public' under the root shell to the /folder mountpoint.
Then an unprivileged LXC container bind mounts the folder using the 'mount.entry' option.
LXC container runs with uid/gid mapping so that root user inside the container has uid=100000/gid=100000 and respectively, the www-data user inside LXC has uid=1000333/gid=1000333.
The mountpoint /folder permissions are set (on the host) like so:
chown 100000:100033 /folder
chmod 0770 /folder
Inside the container the local root user has write permissions and can create any object.
The www-data user inside LXC seems also to have write access but unexpectedly has issues:
cd /folder => OK
test -w /folder && echo OK => OK
touch /folder/file => Access denied
The same configuration except when the /folder is not a encfs-mount works perfectly.
Some other weird issues exist when the LXC local user is a member of several groups but the folder is not the main gid of the user. For instance, "touch" and "mkdir" work but "ln -s" does not. |
Host system mounts an encrypted directory with the '--public' flag under the root shell to the /folder mountpoint.
Then an unprivileged LXC container bind mounts the folder using the 'mount.entry' option.
LXC container runs with uid/gid mapping so that root user inside the container has uid=100000/gid=100000 and respectively, the www-data user inside LXC has uid=1000333/gid=1000333.
The mountpoint /folder permissions are set (on the host) like so:
chown 100000:100033 /folder
chmod 0770 /folder
Inside the container the local root user has write permissions and can create any object.
The www-data user inside LXC seems also to have write access but unexpectedly has issues:
cd /folder => OK
test -w /folder && echo OK => OK
touch /folder/file => Access denied
The same configuration except when the /folder is not a encfs-mount works perfectly.
Some other weird issues exist when the LXC local user is a member of several groups but the folder is not the main gid of the user. For instance, "touch" and "mkdir" work but "ln -s" does not. |
|
2017-02-08 12:52:52 |
Luke |
description |
Host system mounts an encrypted directory with the '--public' flag under the root shell to the /folder mountpoint.
Then an unprivileged LXC container bind mounts the folder using the 'mount.entry' option.
LXC container runs with uid/gid mapping so that root user inside the container has uid=100000/gid=100000 and respectively, the www-data user inside LXC has uid=1000333/gid=1000333.
The mountpoint /folder permissions are set (on the host) like so:
chown 100000:100033 /folder
chmod 0770 /folder
Inside the container the local root user has write permissions and can create any object.
The www-data user inside LXC seems also to have write access but unexpectedly has issues:
cd /folder => OK
test -w /folder && echo OK => OK
touch /folder/file => Access denied
The same configuration except when the /folder is not a encfs-mount works perfectly.
Some other weird issues exist when the LXC local user is a member of several groups but the folder is not the main gid of the user. For instance, "touch" and "mkdir" work but "ln -s" does not. |
Host system mounts an encrypted directory with the '--public' flag under the root shell to the /folder mountpoint.
Then an unprivileged LXC container bind mounts the folder using the 'mount.entry' option.
LXC container runs with uid/gid mapping so that root user inside the container has uid=100000/gid=100000 and respectively, the www-data user inside LXC has uid=1000333/gid=1000333.
The mountpoint /folder permissions are set (on the host) like so:
chown 100000:100033 /folder
chmod 0770 /folder
Inside the container the local root user has write permissions and can create any object.
The www-data user inside LXC seems also to have write access but unexpectedly has issues:
cd /folder => OK
test -w /folder && echo OK => OK
touch /folder/file => Access denied
The same configuration except when the /folder is not a encfs-mount works perfectly.
Some other weird issues exist when the LXC local user is a member of several groups but the folder is not the main gid of the user but one of the supplemental groups. For instance, "touch" and "mkdir" work but "ln -s" does not. |
|