ACLs on an Ubuntu LXC

Stamp1219

New Member
Dec 22, 2023
3
0
1
Hi,

I have a privileged LXC, and the directory is provided as a bind mount from the proxmox host. Users and group membership are from AD configured with SSSD with id mapping disabled and users strictly having uidNumber and gidNumber defined. I have confirmed the users and group in question are correctly being pulled over correctly. I can't see anything in apparmor that would be relevant:

Code:
root@docker-01:/mnt/media# aa-status
apparmor module is loaded.
14 profiles are loaded.
12 profiles are in enforce mode.
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /{,usr/}sbin/dhclient
   docker-default
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   tcpdump
2 profiles are in complain mode.
   /usr/sbin/sssd
   /usr/sbin/sssd//null-/usr/bin/nsupdate
0 profiles are in kill mode.
0 profiles are in unconfined mode.
4 processes have profiles defined.
0 processes are in enforce mode.
4 processes are in complain mode.
   /usr/sbin/sssd (108)
   /usr/libexec/sssd/sssd_be (139) /usr/sbin/sssd
   /usr/libexec/sssd/sssd_nss (141) /usr/sbin/sssd
   /usr/libexec/sssd/sssd_pam (142) /usr/sbin/sssd
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.

The directory structure is as follows:

Code:
root@docker-01:/mnt/media# tree -L 1 /mnt/media
/mnt/media
|-- audiobooks
|-- downloads
|-- ebooks
|-- movies
`-- tv

I have the following groups:

  • media_read_users #R_X to /mnt/media and all subdirectories/files within
  • media_write_users #RWX to /mnt/media and all subdirectories/files within
  • audiobooks_read_users #R_X to /mnt/media/audiobooks and all subdirectories/files within
  • audiobooks_write_users #RWX to /mnt/media/audiobooks and all subdirectories/files within
  • downloads_read_users #R_X to /mnt/media/downloads and all subdirectories/files within
  • downloads_write_users #RWX to /mnt/media/downloads and all subdirectories/files within
  • ebooks_read_users #R_X to /mnt/media/ebooks and all subdirectories/files within
  • ebooks_write_users #RWX to /mnt/media/ebooks and all subdirectories/files within
  • movies_read_users #R_X to /mnt/media/movies and all subdirectories/files within
  • movies_write_users #RWX to /mnt/media/movies and all subdirectories/files within
  • tv_read_users #R_X to /mnt/media/tv and all subdirectories/files within tv_write_users #RWX to
  • /mnt/media/tv and all subdirectories/files within
Using /mnt/media as an example, the ACL is as follows:

Code:
root@docker-01:/mnt# getfacl /mnt/media
getfacl: Removing leading '/' from absolute path names
# file: mnt/media
# owner: root
# group: root
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rwx
default:group:media_write_users:rwx
default:group:media_read_users:r-x
default:mask::rwx
default:other::---

When root (or via sudo) I can write to the directory. But non-root users, such as "myuser" can't. "myuser" is a member of the media_write_users group, but can't read or write to /mnt/media:

Code:
myuser@docker-01:/mnt/media$ id
uid=2100(myuser) gid=2100(myuser) groups=2100(myuser),3104(docker),3200(media_write_users),3300(linux_admins)

myuser@docker-01:/mnt/media$ touch why_wont_this_work
touch: cannot touch 'why_wont_this_work': Permission denied

If I use chgrp to change the group outside of the ACLs, I can write to the directory as a group member. However I'm keen to use ACLs to allow me to have the overarching group (media_{read,write}_users) control access to /mnt/media and subdirectories regardless of other memberships, and the subdirectory groups control access to each specified subdirectory with the permissions I need.

I'm sure I'm doing something wrong, but does anyone have any ideas?

Thanks
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!