Hi,
I have a privileged LXC, and the directory is provided as a bind mount from the proxmox host. Users and group membership are from AD configured with SSSD with id mapping disabled and users strictly having uidNumber and gidNumber defined. I have confirmed the users and group in question are correctly being pulled over correctly. I can't see anything in apparmor that would be relevant:
The directory structure is as follows:
I have the following groups:
When root (or via sudo) I can write to the directory. But non-root users, such as "myuser" can't. "myuser" is a member of the media_write_users group, but can't read or write to /mnt/media:
If I use chgrp to change the group outside of the ACLs, I can write to the directory as a group member. However I'm keen to use ACLs to allow me to have the overarching group (media_{read,write}_users) control access to /mnt/media and subdirectories regardless of other memberships, and the subdirectory groups control access to each specified subdirectory with the permissions I need.
I'm sure I'm doing something wrong, but does anyone have any ideas?
Thanks
I have a privileged LXC, and the directory is provided as a bind mount from the proxmox host. Users and group membership are from AD configured with SSSD with id mapping disabled and users strictly having uidNumber and gidNumber defined. I have confirmed the users and group in question are correctly being pulled over correctly. I can't see anything in apparmor that would be relevant:
Code:
root@docker-01:/mnt/media# aa-status
apparmor module is loaded.
14 profiles are loaded.
12 profiles are in enforce mode.
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/{,usr/}sbin/dhclient
docker-default
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
tcpdump
2 profiles are in complain mode.
/usr/sbin/sssd
/usr/sbin/sssd//null-/usr/bin/nsupdate
0 profiles are in kill mode.
0 profiles are in unconfined mode.
4 processes have profiles defined.
0 processes are in enforce mode.
4 processes are in complain mode.
/usr/sbin/sssd (108)
/usr/libexec/sssd/sssd_be (139) /usr/sbin/sssd
/usr/libexec/sssd/sssd_nss (141) /usr/sbin/sssd
/usr/libexec/sssd/sssd_pam (142) /usr/sbin/sssd
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
The directory structure is as follows:
Code:
root@docker-01:/mnt/media# tree -L 1 /mnt/media
/mnt/media
|-- audiobooks
|-- downloads
|-- ebooks
|-- movies
`-- tv
I have the following groups:
- media_read_users #R_X to /mnt/media and all subdirectories/files within
- media_write_users #RWX to /mnt/media and all subdirectories/files within
- audiobooks_read_users #R_X to /mnt/media/audiobooks and all subdirectories/files within
- audiobooks_write_users #RWX to /mnt/media/audiobooks and all subdirectories/files within
- downloads_read_users #R_X to /mnt/media/downloads and all subdirectories/files within
- downloads_write_users #RWX to /mnt/media/downloads and all subdirectories/files within
- ebooks_read_users #R_X to /mnt/media/ebooks and all subdirectories/files within
- ebooks_write_users #RWX to /mnt/media/ebooks and all subdirectories/files within
- movies_read_users #R_X to /mnt/media/movies and all subdirectories/files within
- movies_write_users #RWX to /mnt/media/movies and all subdirectories/files within
- tv_read_users #R_X to /mnt/media/tv and all subdirectories/files within tv_write_users #RWX to
- /mnt/media/tv and all subdirectories/files within
Code:
root@docker-01:/mnt# getfacl /mnt/media
getfacl: Removing leading '/' from absolute path names
# file: mnt/media
# owner: root
# group: root
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rwx
default:group:media_write_users:rwx
default:group:media_read_users:r-x
default:mask::rwx
default:other::---
When root (or via sudo) I can write to the directory. But non-root users, such as "myuser" can't. "myuser" is a member of the media_write_users group, but can't read or write to /mnt/media:
Code:
myuser@docker-01:/mnt/media$ id
uid=2100(myuser) gid=2100(myuser) groups=2100(myuser),3104(docker),3200(media_write_users),3300(linux_admins)
myuser@docker-01:/mnt/media$ touch why_wont_this_work
touch: cannot touch 'why_wont_this_work': Permission denied
If I use chgrp to change the group outside of the ACLs, I can write to the directory as a group member. However I'm keen to use ACLs to allow me to have the overarching group (media_{read,write}_users) control access to /mnt/media and subdirectories regardless of other memberships, and the subdirectory groups control access to each specified subdirectory with the permissions I need.
I'm sure I'm doing something wrong, but does anyone have any ideas?
Thanks