TechQA.

prevent changing of permissions in mounts with rootless container

2.7k views Asked by At

In rootful containers, the solution to this problem is run with --user "$(id -u):$(id -g)" however this does not work for rootless contain systems (rootless docker, or in my case podman):

$ mkdir x
$ podman run --user "$(id -u):$(id -g)" -v "$PWD/x:/x:rw" ubuntu:focal bash -c 'echo hi >> /x/test'
bash: /x/test: Permission denied

so for rootless container systems I should remove --user since the root user is automatically mapped to the calling user:

$ podman run -v "$PWD/x:/x:rw" ubuntu:focal bash -c 'echo hi >> /x/test'
$ ls -al x
total 12
drwxr-xr-x  2 asottile asottile 4096 Sep  3 10:02 .
drwxrwxrwt 18 root     root     4096 Sep  3 10:01 ..
-rw-r--r--  1 asottile asottile    3 Sep  3 10:02 test

but, because this is now the root user, they can change the ownership to users which are undeleteable outside container:

$ podman run -v "$PWD/x:/x:rw" ubuntu:focal bash -c 'mkdir -p /x/1/2/3 && chown -R nobody /x/1'
$ ls -al x/
total 16
drwxr-xr-x  3 asottile asottile 4096 Sep  3 10:03 .
drwxrwxrwt 18 root     root     4096 Sep  3 10:01 ..
drwxr-xr-x  3   165533 asottile 4096 Sep  3 10:03 1
-rw-r--r--  1 asottile asottile    3 Sep  3 10:02 test
$ rm -rf x/
rm: cannot remove 'x/1/2/3': Permission denied

so my question is: how do I allow writes to a mount, but prevent changing ownership for rootless containers?

docker podman rootless
Original Q&A
1

There are 1 answers

1
Erik Sjölund On BEST ANSWER

I think --user $(id -u):$(id -g) --userns=keep-id will get what you want.

$ id -un                                                                                                                                                                                                                                      
erik                                                                                                                                                                                                                                          
$ id -gn                                                                                                                                                                                                                                      
erik                                                                                                                                                                                                                                          
$ mkdir x                                                                                                                                                                                                                                     
$ podman run -v "$PWD/x:/x:Z" --user $(id -u):$(id -g) --userns=keep-id docker.io/library/ubuntu:focal bash -c 'mkdir -p /x/1/2/3 && chown -R nobody /x/1'                                                                                    
chown: changing ownership of '/x/1/2/3': Operation not permitted                                                                                                                                                                              
chown: changing ownership of '/x/1/2': Operation not permitted                                                                                                                                                                                
chown: changing ownership of '/x/1': Operation not permitted                                                                                                                                                                                  
$ ls x                                                                                                                                                                                                                                        
1                                                                                                                                                                                                                                             
$ ls -l x                                                                                                                                                                                                                                     
total 0                                                                                                                                                                                                                                       
drwxr-xr-x. 3 erik erik 15 Sep  6 19:34 1                                                                                                                                                                                                     
$ ls -l x/1                                                                                                                                                                                                                                   
total 0                                                                                                                                                                                                                                       
drwxr-xr-x. 3 erik erik 15 Sep  6 19:34 2                                                                                                                                                                                                     
$ ls -l x/1/2                                                                                                                                                                                                                                 
total 0                                                                                                                                                                                                                                       
drwxr-xr-x. 2 erik erik 6 Sep  6 19:34 3                                                                                                                                                                                                      
$

Regarding deleting files and directories that are not owned by your normal UID and GID (but from the extra ranges in /etc/subuid and /etc/subgid) , you could use podman unshare rm filepath

and podman unshare rm -rf directorypath

Related Questions in DOCKER

Related Questions in PODMAN

Related Questions in ROOTLESS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions