toolbox icon indicating copy to clipboard operation
toolbox copied to clipboard
verified publisher icon containers

Inconsistent permissions to access mounted partitions (`nobody`)

Open nelsonaloysio opened this issue 3 years ago • 4 comments

Describe the bug I have an encrypted (with BitLocker) partition labeled Data which is unlocked via gio mount -d /dev/nvme0nXpY.

If a toolbox container is started before the partition is mounted, then a Permission denied is returned when trying to access the mounted folder Data in /run/media/$USER - that is, running toolbox run sh -c 'ls -l /run/media/$USER' returns:

drwx------. 2 nobody nobody 40 Jul  4 18:01 Data

Weirdly, though, this doesn't happen if the partition is mounted after (or right before) the toolbox container is started. Then, running the same command above returns the expected output:

drwxrwxrwx. 1 neo neo 8192 Jul  6 14:34 Data

Steps how to reproduce the behaviour

  1. Boot system
  2. Mount partition
  3. Try to access folder inside toolbox
  4. See error

Expected behaviour Either the directory is always accessible, or never accessible to the user inside toolbox.

Actual behaviour The directory is only accessible if the partition is mounted after (or right before) the toolbox container is started.

Screenshots Not applicable, I guess.

Output of toolbox --version (v0.0.90+) toolbox version 0.0.99.3

Toolbox package info (rpm -q toolbox) toolbox version 0.0.99.3

Output of podman version

Client:       Podman Engine
Version:      4.1.1
API Version:  4.1.1
Go Version:   go1.18.3
Built:        Wed Jun 15 15:31:58 2022
OS/Arch:      linux/amd64

Podman package info (rpm -q podman) podman-4.1.1-1.fc36.x86_64

Info about your OS Fedora Silverblue 36

nelsonaloysio avatar Jul 04 '22 17:07 nelsonaloysio

I'm trying to debug this issue further, but the inconsistency with which it happens is turning it into a difficult endeavour. My intention here was mainly to share what's happening - if anyone can point similar issues or has any clue as to why, it'd be appreciated!

nelsonaloysio avatar Jul 04 '22 17:07 nelsonaloysio

Does the same thing happen with other mounts too? For example, what if you plug in an USB stick?

debarshiray avatar Oct 24 '22 09:10 debarshiray

Actually I can reproduce this with a USB stick and Podman:

$ podman run --interactive --security-opt label=disable --tty --userns=keep-id --volume $HOME:$HOME:rslave --volume /run/media:/run/media:rslave fedora:36 capsh --caps="" -- -c 'exec "$@"' bash bash --login

debarshiray avatar Oct 24 '22 19:10 debarshiray

Notified Podman at https://github.com/containers/podman/issues/14183#issuecomment-1293836495

debarshiray avatar Oct 27 '22 17:10 debarshiray