Skip to content

podman tries to make user-executable directory world-executable (rootless) #23028

New issue
New issue
Closed
#23032
Closed
podman tries to make user-executable directory world-executable (rootless)#23028
#23032

Description

@myllynen

myllynen
openedon Jun 18, 2024

Issue Description

When a directory in the path configured in containers.conf is not world-executable podman fails to run containers:

admin@bastion:~> cat ~/.config/containers/storage.conf                                                                                                
[storage]
driver = "overlay"
runroot = "/app/admin/ee/runroot"
graphroot = "/app/admin/ee/graphroot"
rootless_storage_path = "/app/admin/ee/storage"
[storage.options]
pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""}
[storage.options.overlay]
mountopt = "nodev,metacopy=on"
admin@bastion:~> id
uid=4444(admin) gid=4444(admin) groups=4444(admin),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
admin@bastion:~> ls -alZ /app
total 0
drwxr-x---.  3 root  admin unconfined_u:object_r:default_t:s0            19 2024-06-07 12:53 .
dr-xr-xr-x. 19 root  root  system_u:object_r:root_t:s0                  246 2024-06-06 12:46 ..
drwxr-x--x.  3 admin admin unconfined_u:object_r:container_var_lib_t:s0  16 2024-06-07 13:28 admin
admin@bastion:~> strace -ff podman run -ti test-container uname 2>&1 | grep chmod | grep -i perm
[pid  3400] fchmodat(AT_FDCWD, "/app", 0751) = -1 EPERM (Operation not permitted)
[pid  3400] rt_sigreturn({mask=[]}Error: chmod /app: operation not permitted
admin@bastion:~> podman version
Client:       Podman Engine
Version:      4.9.4-rhel
API Version:  4.9.4-rhel
Go Version:   go1.21.7 (Red Hat 1.21.7-2.module+el8.10.0+21638+b01be198)
Built:        Mon Jun 10 14:56:14 2024
OS/Arch:      linux/amd64
admin@bastion:~>

The top-level directory is already user-readable/executable but podman still tries to make it world-executable.

If doing "chmod o+x /app" as root then the test would work as expected.

If this is indeed required then at least the error message should be clearer.

Steps to reproduce the issue

See above - any directory in the path, even if user-readable/executable, not world-executable will cause podman to fail.

Describe the results you received

Directories must be world-executable or podman fails.

Describe the results you expected

It is enough for directories to be owned and accessible by the user.

podman info output

If you are unable to run podman info for any reason, please provide the podman version, operating system and its version and the architecture you are running.

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.locked - please file new issue/PRAssist humans wanting to comment on an old issue or PR with locked comments.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions