search

containers / crun

A fast and lightweight fully featured OCI runtime and C library for running containers
GNU General Public License v2.0
2.99k stars 304 forks source link

Cannot run any container if storage location is owned by a group that is not the users main group (rootless mode) #1483

Closed lapseofreason closed 3 months ago

lapseofreason commented 3 months ago

Running a container in rootless mode with podman fails if a parent directory is owned by a group that is not owned by the user or by the users main group.

For example, if the username is user with main group user, then a directory with permissions drwxrwx---. and ownership root userdata as a parent path of the storage location leads to a failure to run any container, even if user has the group userdata.

Steps to reproduce:

  1. Use the following storage.conf (in ~/.config/containers/: 
    [storage]
driver = "overlay"
runroot = "/run/user/1000"
graphroot = "/tmp/podman-test/storage"
[storage.options]
mount_program = "/usr/bin/fuse-overlayfs"
  2. Create a group userdata, add user to it and reboot.
  3. Change permissions & group on folder: 
    chown root:userdata /tmp/podman-test/
chmod ug+rwx /tmp/podman-test/
chmod o-rwx /tmp/podman-test/
  4. Run a container with a non-root user: podman run alpine ls

Expected result:

The container is run successfully.

Actual result:

The following error is raised:

Error: crun: make `/tmp/podman-test/storage/overlay/92d9e05b417080948da582a7692770bb91c16d8e84e9bf78f58d13739cce1b92/merged` private: Permission denied: OCI permission denied

After running chown root.user /tmp/podman-test/, the container runs successfully.

giuseppe commented 3 months ago

the container cannot run. You need to fix the permissions on the storage directory as you with chown.

An user in a user namespace doesn't gain the capability of accessing root owned directories.

lapseofreason commented 3 months ago

@giuseppe Thanks for your reply!

What kind of permissions are you talking about? The user has access to the storage directory because he is member of the userdata group and the permissions are set to g+rwx. With his other group user (his primary group) it works fine, even if the directory is owned by root.

It also works if the parent directory is owned by the root user and group as long as there are o+rwx permissions, so I don't see what the difference is there.

giuseppe commented 3 months ago

the rootless user loses access to its supplementary groups unless you specify --group-add=keep-groups (be careful this is a crun-only feature)

lapseofreason commented 3 months ago

I see, thanks for clarifying this, I was not aware of this.

I get a different error when I add this:

podman run --group-add userdata alpine ls
Error: looking up supplemental groups for container 4d965e2e15d9bc1bbff9cb2dc81d6cd8d9cc3fbf88639d116933665d33d8cc9e: Unable to find group userdata: no matching entries in group file

But I guess I need to check the docs what groupfile it is checking here, because /etc/group has the group for the user.

Edit: Sorry, I figured it out, I need to use podman run --group-add keep-groups alpine ls.

giuseppe commented 3 months ago

no, you need to use exactly --group-add=keep-groups. keep-groups has a specific meaning and it won't drop the current additional GIDs in the container (that means you cannot change groups inside the container to something else)