On Mon, May 6, 2024 at 10:29 AM Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote: > > Replying to a couple emails at once... > > On Mon, May 6, 2024 at 12:14 AM Aleksa Sarai <cyphar@xxxxxxxxxx> wrote: > > I also find it somewhat amusing that this proposal is to basically give > > up on multi-user permissions for this one directory tree because it's > > too annoying to deal with. In that case, isn't chmod 777 a simpler > > solution? (I'm being a bit flippant, of course there is a difference, > > but the net result is that all users in the container would have the > > same permissions with all of the fun issues that implies.) > > > > In short, AFAICS idmapped mounts pretty much solve this problem (minus > > the ability to collapse users, which I suspect is not a good idea in > > general)? > > > > With my kernel hat on, maybe I agree. But with my *user* hat on, I > think I pretty strongly disagree. Look, idmapis lousy for > unprivileged use: > > $ install -m 0700 -d test_directory > $ echo 'hi there' >test_directory/file > $ podman run -it --rm > --mount=type=bind,src=test_directory,dst=/tmp,idmap [debian-slim] > # cat /tmp/file > hi there > > <-- Hey, look, this kind of works! > > # setpriv --reuid=1 ls /tmp > ls: cannot open directory '/tmp': Permission denied > > <-- Gee, thanks, Linux! I should add: this is lousy even for privileged use. On a normal non-containerized system: $ ls -ld /var/lib/mysql drwxr-xr-x. 3 mysql mysql 4096 Sep 20 2023 /var/lib/mysql This makes perfect sense. But if I want to run mysql in a container in a sane way, my only real choice is either to trust the container manager quite strongly (so it only maps this directory into the correct container) or, if I want to separate out management of this container into its own UID (which is a good practice), then I'm forced to do some kind of fragile hack like making a directory only accessible to the correct UID and then creating a 0777 directory inside it and bind-mounting *that*.
