Allow a LXC container user to write as an external user to a mounted directory

permissions mount lxc acl

Apologies for the title, the setup is actually quite simple. I have a host with a user called oli and a directory called /media/steve/incoming that oli can read-write-execute in. Within that I have a privileged LXC container running under root. /media/steve/incoming is mounted in the container as /incoming/ with:

lxc.mount.entry = /media/steve/incoming incoming none bind 0 0

Within the container I have a webserver running as www-data. It needs to be able to write to /incoming/.

What are my options here? I can think of a few ideas but they either have pretty serious downsides or I don't know how to implement them:

  • I could change my daemon to run as root within the container but I'd rather it didn't. Root write files strangely in the directory (they come out as root:oli-owned on the host).

  • Can I map container-www-data to have host-oli privs on the filesystem? Would this grant them access to the host? oli is not an unprivaliged account. It can do real damage.

  • Can I just bind-mount it in such a way that anybody in the container can write to /incoming and the access looks like it's coming from host-oli?

  • ACL any help here?


ACL can do it successfully because it makes files to be shared for multiple users based on username rather than userid number.

It's converted to userid number inside of file's attribute.

Can I map container-www-data to have host-oli privs on the filesystem? Would this grant them access to the host? oli is not an unprivaliged account. It can do real damage.

You can run following command on host to make lxc container's www-data user can write the /incoming folder.

$ sudo chown oli /media/steve/incoming
$ sudo setfacl -m u:www-data:rwx /media/steve/incoming

/media/steve/incoming is binded one for /incoming of the lxc container.

And /media/steve/incoming's owner is already owned by oli.

So host's oli can write it directly and the container's www-data user also can write it directly.

And if setfacl command is not exists at the host, you can install it with following command.

$ sudo apt-get install acl

Host's www-data and containter's www-data can use difference user id number, So you can share /media/steve/incoming for Container's www-data user id as following.

At first, get userid number of www-data on container.

$ cat /etc/passwd | grep "^www-data:" | awk -F ":" '{print $3}'

Then it'll show an number if container has a user named www-data, userid of www-data. At second, set file attribute with acl as following on host.

$ sudo setfacl -m u:<got_number_above>:rwx /media/steve/incoming

Then it'll work for container.

You can get more help for ACL from FilePermissionsACLs

Related

Live-Build lb build "chroot: failed to run command ‘/usr/bin/env’: No such file or directory"
Lenovo T560 / T460 hardware compatibility
How does setting wallpapers work in Ubuntu?
Black screen after login Ubuntu Gnome 16.04
Failed to bring up eth2 - Ubuntu 16.04
xrandr "cannot find mode" although mode is added and shows on xrandr
Is it possible to get the first click on an inactive window to not register?
How to delete folders that have n or fewer files in them?
GUI SCP Client? [duplicate]
systemctl : comand not found 16.04 server
KVM vmbuilder fails
debugging `Kernel panic - not syncing: Attempted to kill init!`