What I'm trying to achieve is have a group that is mapped in the conf file of the LXC that I can easily just add to any user I want to grant them access to files in the bind mount.
in my setup the
Below are some logs where I tried to debug the issue. I connected to the LXC and proxmox using ssh.
if I copy the test file from the bind mount to a local directory, with the exact same permissions, the user has access.
The conf file on proxmox
Also on proxmox
Strangely enough I don't know where those last entries for the sysadmin user are from.
Now looking at the directory from proxmox:
Authenticating with machinectl shell also doesn't help with anything
And last is the discovery that the only way that works is to make that group the primary group for the user, and not any extra/additional group.
I don't know what's going on with this weird permission issue. if there's a way to accomplish this please leave a post.
in my setup the
mpd user has uid 50 and gid 50 on the LXC and it's part of another group called shareduser with gid 1000. I assumed because it is part of the group 1000 which is mapped correctly, it would be able to read and write since all directories have 775, and all files have either 770 or 660 permissions.Below are some logs where I tried to debug the issue. I connected to the LXC and proxmox using ssh.
Code:
[mpd@nixos-discus:/mnt/host-data/data/audio]$ ls -lah
total 4.5K
drwxr-sr-x 5 shareduser shareduser 64 Jun 25 01:22 .
drwxr-xr-x 4 root root 4 Jun 24 13:09 ..
drwxr-sr-x 3 shareduser shareduser 29 Sep 18 2022 books
drwxr-sr-x 8 shareduser shareduser 125 Jun 25 01:21 music
-rw-rw---- 1 shareduser shareduser 6 Jun 25 13:16 playlist.m3u
drwxr-sr-x 2 shareduser shareduser 10 Oct 9 2022 podcasts
[mpd@nixos-discus:/mnt/host-data/data/audio]$ cat playlist.m3u
cat: playlist.m3u: Permission denied
[mpd@nixos-discus:/mnt/host-data/data/audio]$ id
uid=50(mpd) gid=50(mpd) groups=50(mpd),1000(shareduser),17(audio)
Code:
[sysadmin@nixos-discus:/mnt/host-data/data/audio]$ sudo -u shareduser cat playlist.m3u
testtt
[sysadmin@nixos-discus:/mnt/host-data/data/audio]$ sudo -u mpd cat playlist.m3u
cat: playlist.m3u: Permission deniedif I copy the test file from the bind mount to a local directory, with the exact same permissions, the user has access.
Code:
[sysadmin@nixos-discus:/srv/test]$ ls -lah
total 1.5K
drwxr-xr-x 2 shareduser shareduser 3 Jun 25 13:20 .
drwxr-xr-x 5 root root 5 Jun 25 13:19 ..
-rw-rw---- 1 shareduser shareduser 6 Jun 25 13:20 playlist.m3u
[sysadmin@nixos-discus:/srv/test]$ sudo -u mpd cat playlist.m3u
testttThe conf file on proxmox
Code:
arch: amd64
cmode: console
cores: 2
features: nesting=1
hostname: nixos-discus
memory: 4096
mp0: /mnt/storage/data/audio,mp=/mnt/host-data/data/audio,replicate=0
mp1: /mnt/storage/data/downloads,mp=/mnt/host-data/data/downloads,replicate=0
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=BC:24:11:16:4B:ED,ip=dhcp,type=veth
ostype: nixos
protection: 1
rootfs: local-zfs:subvol-204-disk-0,size=8G
swap: 0
tags: unpriviledged
unprivileged: 1
lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 101000 64535
lxc.idmap: g 1001 101000 64535
lxc.mount.entry: /dev/snd dev/snd none bind,optional,create=dirAlso on proxmox
Code:
cat /etc/subuid
root:1000:1
root:100000:65536
sysadmin:165536:65536
sysadmin:231072:65536
sysadmin:296608:65536
cat /etc/subgid
root:1000:1
root:100000:65536
sysadmin:165536:65536
sysadmin:231072:65536
sysadmin:296608:65536Strangely enough I don't know where those last entries for the sysadmin user are from.
Now looking at the directory from proxmox:
Code:
sysadmin@pve:/mnt/storage/data/audio$ ls -lah
total 4.0K
drwxr-sr-x 5 shareduser shareduser 64 Jun 25 01:22 .
drwxr-sr-x 11 shareduser shareduser 179 Jun 25 00:38 ..
drwxr-sr-x 3 shareduser shareduser 29 Sep 18 2022 books
drwxr-sr-x 8 shareduser shareduser 125 Jun 25 01:21 music
-rw-rw---- 1 shareduser shareduser 6 Jun 25 13:16 playlist.m3u
drwxr-sr-x 2 shareduser shareduser 10 Oct 9 2022 podcasts
sysadmin@pve:/mnt/storage/data/audio$ ls -lan
total 4
drwxr-sr-x 5 1000 1000 64 Jun 25 01:22 .
drwxr-sr-x 11 1000 1000 179 Jun 25 00:38 ..
drwxr-sr-x 3 1000 1000 29 Sep 18 2022 books
drwxr-sr-x 8 1000 1000 125 Jun 25 01:21 music
-rw-rw---- 1 1000 1000 6 Jun 25 13:16 playlist.m3u
drwxr-sr-x 2 1000 1000 10 Oct 9 2022 podcastsAuthenticating with machinectl shell also doesn't help with anything
Code:
[sysadmin@nixos-discus:/srv/test]$ machinectl shell --uid=50
==== AUTHENTICATING FOR org.freedesktop.machine1.host-shell ====
Authentication is required to acquire a shell on the local host.
Authenticating as: The system administrator user (sysadmin)
Password:
==== AUTHENTICATION COMPLETE ====
Connected to the local host. Press ^] three times within 1s to exit session.
[mpd@nixos-discus:~]$ cd /mnt/host-data/data/audio
[mpd@nixos-discus:/mnt/host-data/data/audio]$ ls -lan
total 5
drwxr-sr-x 5 1000 1000 64 Jun 25 01:22 .
drwxr-xr-x 4 0 0 4 Jun 24 13:09 ..
drwxr-sr-x 3 1000 1000 29 Sep 18 2022 books
drwxr-sr-x 8 1000 1000 125 Jun 25 01:21 music
-rw-rw---- 1 1000 1000 6 Jun 25 13:16 playlist.m3u
drwxr-sr-x 2 1000 1000 10 Oct 9 2022 podcasts
[mpd@nixos-discus:/mnt/host-data/data/audio]$ id
uid=50(mpd) gid=50(mpd) groups=50(mpd),1000(shareduser),17(audio)
[mpd@nixos-discus:/mnt/host-data/data/audio]$ cat playlist.m3u
cat: playlist.m3u: Permission deniedAnd last is the discovery that the only way that works is to make that group the primary group for the user, and not any extra/additional group.
Code:
[sysadmin@nixos-discus:/mnt/host-data/data/audio]$ id mpd
uid=50(mpd) gid=1000(shareduser) groups=1000(shareduser),17(audio)
[sysadmin@nixos-discus:/mnt/host-data/data/audio]$ sudo -u mpd cat playlist.m3u
testttI don't know what's going on with this weird permission issue. if there's a way to accomplish this please leave a post.
Last edited: