Page 1 of 1
How to change owner/group of a file in /tmp of a container?
Posted: Tue Jul 11, 2023 8:24 am
by Caramel
In the container bookworm (for example), it is possible to create a file in the /tmp directory but the change of owner or group is not permitted.
I would like to understand why and above all know how to modify this behavior.
I try to make a container with the nix package manager but it don't work because it can't change ownership on a temporary files (a file in /mnt/wkg/containers/nix/container/tmp) although it runs as root.
Thanks.
Re: How to change owner/group of a file in /tmp of a container?
Posted: Wed Jul 12, 2023 1:48 am
by BarryK
You can do it from "outside", that is, as the root user.
Inside the container, it is running as "crippled root".
For example of the bookworm container, go to /mnt/.easy_rw/bookworm/tmp
...that's for the case of running in ram. If doing direct writes to the drive, go to /mnt/wkg/containers/.session
Re: How to change owner/group of a file in /tmp of a container?
Posted: Wed Jul 12, 2023 2:33 pm
by Caramel
BarryK wrote: ↑Wed Jul 12, 2023 1:48 am
You can do it from "outside", that is, as the root user.
Inside the container, it is running as "crippled root".
For example of the bookworm container, go to /mnt/.easy_rw/bookworm/tmp
...that's for the case of running in ram. If doing direct writes to the drive, go to /mnt/wkg/containers/.session
Thanks for the answer.
In my attempt, it's the program inside the container that needs to change the ownership of a file in /tmp
Re: How to change owner/group of a file in /tmp of a container?
Posted: Wed Jul 12, 2023 11:37 pm
by BarryK
"crippled root" is like a non-root user, it has limitations for security reasons.
Unable to change owner:group is one of them.
You can run a container with less security, but then all you are getting is isolation from the main filesystem but without the security.
If you click "setup" icon, choose EasyOS -> Easy Containers, you can change the security settings.
Note that some of those settings haven't been debugged. As I seem to recall, the least-secure, which is hardly any security, does work.
Re: How to change owner/group of a file in /tmp of a container?
Posted: Thu Jul 13, 2023 5:56 pm
by Caramel
BarryK wrote: ↑Wed Jul 12, 2023 11:37 pm
You can run a container with less security, but then all you are getting is isolation from the main filesystem but without the security.
If you click "setup" icon, choose EasyOS -> Easy Containers, you can change the security settings.
Note that some of those settings haven't been debugged. As I seem to recall, the least-secure, which is hardly any security, does work.
Found in /usr/local/easy_containers/ec-chroot, line 486 :
[ "$EC_CAP_file" == "true" ] && cOPTS="${cOPTS}-chown,-kill,-dac_override,-dac_read_search,-fowner,-setfcap,-setpcap,"
Choose EC_CAP_FILE =true drops the capability of change ownership ("-chown" in the line)
For my test, in Easy Containers, tab Expert, I've uniticked the file box and now chown works. Thanks again !