bind-mounted directory inaccessible to unprivileged user in container

[dev-zero]

When trying to run a mariadb container with a bind-mount for docker-entrypoint-initdb.d I get:

nerdctl.lima run -ti -e MARIADB_RANDOM_ROOT_PASSWORD=1 -v ./db:/docker-entrypoint-initdb.d:ro mariadb:10.6
WARN[0000] expected an absolute path, got a relative path "./db" (allowed for nerdctl, but disallowed for Docker, so unrecommended)
2021-09-09 15:36:50+00:00 [Note] [Entrypoint]: Entrypoint script for MariaDB Server 1:10.6.4+maria~focal started.
2021-09-09 15:36:51+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'
2021-09-09 15:36:51+00:00 [Note] [Entrypoint]: Entrypoint script for MariaDB Server 1:10.6.4+maria~focal started.
ls: cannot open directory '/docker-entrypoint-initdb.d/': Permission denied
exit status 2

Indeed there goes something wrong with the sshfuse when running as user other than the container "root":

nerdctl.lima run -ti -e MARIADB_RANDOM_ROOT_PASSWORD=1 -v ./db:/docker-entrypoint-initdb.d:ro --entrypoint /bin/bash mariadb:10.6
WARN[0000] expected an absolute path, got a relative path "./db" (allowed for nerdctl, but disallowed for Docker, so unrecommended)
root@191eb5c41be3:/# ls -la /
total 56
drwxr-xr-x  18 root   root    4096 Sep  9 15:37 .
lrwxrwxrwx   1 root   root       7 Aug 27 07:16 bin -> usr/bin
drwxr-xr-x   2 root   root    4096 Apr 15  2020 boot
drwxr-xr-x   5 root   root     360 Sep  9 15:37 dev
drwxr-xr-x   1 nobody nogroup   96 Sep  2 14:51 docker-entrypoint-initdb.d
drwxr-xr-x  39 root   root    4096 Aug 31 03:44 etc
drwxr-xr-x   2 root   root    4096 Apr 15  2020 home
lrwxrwxrwx   1 root   root       7 Aug 27 07:16 lib -> usr/lib
lrwxrwxrwx   1 root   root       9 Aug 27 07:16 lib32 -> usr/lib32
lrwxrwxrwx   1 root   root       9 Aug 27 07:16 lib64 -> usr/lib64
lrwxrwxrwx   1 root   root      10 Aug 27 07:16 libx32 -> usr/libx32
drwxr-xr-x   2 root   root    4096 Aug 27 07:16 media
drwxr-xr-x   2 root   root    4096 Aug 27 07:16 mnt
drwxr-xr-x   2 root   root    4096 Aug 27 07:16 opt
dr-xr-xr-x 219 nobody nogroup    0 Sep  9 15:37 proc
drwx------   2 root   root    4096 Aug 31 03:43 root
drwxr-xr-x   6 root   root    4096 Aug 31 03:44 run
lrwxrwxrwx   1 root   root       8 Aug 27 07:16 sbin -> usr/sbin
drwxr-xr-x   2 root   root    4096 Aug 27 07:16 srv
dr-xr-xr-x  13 nobody nogroup    0 Sep  9 15:37 sys
drwxrwxrwt   2 root   root    4096 Aug 31 03:44 tmp
drwxr-xr-x  13 root   root    4096 Aug 27 07:16 usr
drwxr-xr-x  11 root   root    4096 Aug 27 07:27 var
root@191eb5c41be3:/# /usr/local/bin/gosu mysql ls -la /
ls: cannot access '/docker-entrypoint-initdb.d': Permission denied
total 52
drwxr-xr-x  18 root   root    4096 Sep  9 15:37 .
lrwxrwxrwx   1 root   root       7 Aug 27 07:16 bin -> usr/bin
drwxr-xr-x   2 root   root    4096 Apr 15  2020 boot
drwxr-xr-x   5 root   root     360 Sep  9 15:37 dev
d?????????   ? ?      ?          ?            ? docker-entrypoint-initdb.d
drwxr-xr-x  39 root   root    4096 Aug 31 03:44 etc
drwxr-xr-x   2 root   root    4096 Apr 15  2020 home
lrwxrwxrwx   1 root   root       7 Aug 27 07:16 lib -> usr/lib
lrwxrwxrwx   1 root   root       9 Aug 27 07:16 lib32 -> usr/lib32
lrwxrwxrwx   1 root   root       9 Aug 27 07:16 lib64 -> usr/lib64
lrwxrwxrwx   1 root   root      10 Aug 27 07:16 libx32 -> usr/libx32
drwxr-xr-x   2 root   root    4096 Aug 27 07:16 media
drwxr-xr-x   2 root   root    4096 Aug 27 07:16 mnt
drwxr-xr-x   2 root   root    4096 Aug 27 07:16 opt
dr-xr-xr-x 218 nobody nogroup    0 Sep  9 15:37 proc
drwx------   2 root   root    4096 Aug 31 03:43 root
drwxr-xr-x   6 root   root    4096 Aug 31 03:44 run
lrwxrwxrwx   1 root   root       8 Aug 27 07:16 sbin -> usr/sbin
drwxr-xr-x   2 root   root    4096 Aug 27 07:16 srv
dr-xr-xr-x  13 nobody nogroup    0 Sep  9 15:37 sys
drwxrwxrwt   2 root   root    4096 Aug 31 03:44 tmp
drwxr-xr-x  13 root   root    4096 Aug 27 07:16 usr
drwxr-xr-x  11 root   root    4096 Aug 27 07:27 var

This is with lima 0.6.3.

[dev-zero]

So far I don't see what's wrong. When making another SSHFS mount from the lima machine back to the host machine (with remote access enabled) with the exact same mount options other users can access it. 🤷

[diepfote]

@dev-zero could you provide an example? I looked into this as well #231 (comment)

[diepfote]

@AkihiroSuda is this where you execute the bind mount (e.g. -v <host>:<container>) for a nerdctl command? https://github.com/lima-vm/sshocker/blob/v0.2.2/pkg/reversesshfs/reversesshfs.go#L55

Thought I had to change things here

lima/pkg/hostagent/mount.go

Line 51 in 8092199

SSHFSAdditionalArgs: []string{"-o", "allow_root"},

but I guess it is sshocker.

Please confirm or deny.

[dev-zero]

@florianbegusch could you elaborate what kind of example you need? Above I specified the command with the mariadb image from docker.io which should be sufficient to reproduce it?

And the root user inside the lima VM is able to access mount, as is the unprivileged default user (with the same UID as my MacOS user), only any other user in the VM (and therefore also any other user inside the container) does not get access to the mount. Since the allow_other mount option is present, the only thing left would be the user_allow_other option in /etc/fuse.conf which seems to get ignored for some reason, or some Linux kernel security hook (SELinux, AppArmor, ...).

[diepfote]

@dev-zero by "default" unprivileged user you mean uid 1000 (default on most Linuxes)? or 501 (default on most Mac OSes)

My default unprivileged user is uid 1000 and I get permission errors on all bind-mounted dirs. Dirs and files are owned by the nobody user; permissions are kept to a minimum: for directories the dir flag is set, for all other files no permissions are set.

[dev-zero]

@florianbegusch I have uid 501 for my MacOS user, but also the Linux UID inside the default lima VM is 501. From this user as well as root inside the VM I can access the SSHFS mount /Users/$username. The user nobody inside the VM can not.

[diepfote]

@dev-zero
For me this is not the case

[build-user@25f35fb36f17 ~]$ id
uid=501(build-user) gid=1000(build-user) groups=1000(build-user)

$ docker run -u build-user -v /Users/florian/Documents/scripts:/build/Documents/scripts --rm -it --name arch-all arch-all bash
[build-user@25f35fb36f17 ~]$ ls -alh
total 32K
drwx------  4 build-user build-user 4.0K Sep 15 13:20 .
drwxr-xr-x 17 root       root       4.0K Sep 15 13:20 ..
-rw-r--r--  1 build-user build-user   21 May  9 09:53 .bash_logout
-rw-r--r--  1 build-user build-user   57 May  9 09:53 .bash_profile
-rw-r--r--  1 root       root       6.4K Sep 15 10:25 .bashrc
drwxr-xr-x  4 build-user build-user 4.0K Sep 15 10:30 .cache
drwxr-xr-x  3 root       root       4.0K Sep 15 13:20 Documents
lrwxrwxrwx  1 root       root         17 Sep 15 10:25 .vimrc -> /build/.vim/vimrc
[build-user@25f35fb36f17 ~]$ ls -alh Documents/
ls: cannot access 'Documents/scripts': Permission denied
total 8.0K
drwxr-xr-x 3 root       root       4.0K Sep 15 13:20 .
drwx------ 4 build-user build-user 4.0K Sep 15 13:20 ..
d????????? ? ?          ?             ?            ? scripts

[AkihiroSuda]

Should be fixed in #247

[diepfote]

can confirm