I understand that podman unshare can be used to properly set the permissions on unprivileged containers.
So podman unshare chown 1234:1234 -R /home/user/volume can be used to set the volume to the properly mapped ids.
But I'm getting permission errors when I'm trying to do that:
podman unshare chown -R 1234:1234 -R /home/user/foo/bar; echo $?
chown: changing ownership of '/home/user/foo/bar': Operation not permitted
1
The first thing I thought about was directory permissions but it fails even if I'm giving the destination directory 0777.
I'm calling the command as user user and the parent directories have these permissions:
drwxr-xr-x root /home
drwxr-x--- user /home/user
drwxrwxrwx user /home/user/foo
drwxrwxrwx user /home/user/foo/bar
It isn't my intention to really use 0777 in production but something is off even with 0777 and it's not clear to me how to debug this.
Related
I changed the chown from 755 to 775 for the Documents folder by typing the below command in the terminal. I am successful, and Documents permissions are now changed to 775:
David-MacBook-Air:/ Davidtyler$ cd /library/webserver/
David-MacBook-Air:webserver Davidtyler$ chown 775 Documents
However, when I reset permission of the Documents folder to 755, which is the default in the terminal, then the terminal gives me the message "Operation not permitted".
Here are the commands that I typed to reset the permissions of Documents folder from 775 to default 755:
David-MacBook-Air:/ Davidtyler$ cd /library/webserver/
David-MacBook-Air:webserver Davidtyler$ chown 775 Documents
chown: Documents: Operation not permitted
I guess you actually wanted to use chmod instead of chown.
chmod changes permission; while chown changes owner of a file/folder.
chown 755 don't make much sense unless there is really a user identified as 755.
Upgrade to PHP 7.1 and getting 403 error. How do I change the root permission to 751?
As the root user, run:
chmod 751 path/to/your/directory/
use the "recursive" option if you want to also modify permissions of all subdirectories:
chmod -R 751 path/to/your/directory/
then do this:
ls -l
This should show that your directory is owned by root and now has permissions "drwxr-x--x".
Source and more details: http://www.filepermissions.com/directory-permission/751
In kubernetes I can use a PersistentVolumeClaim to create some storage, which I can later mount in some container.
However if the user in the container is not root, that user will not be able to access that directory because it is owned by root.
What is the right way to access such a volume? (I did not find any user/permission options both when creating and mounting that volume.)
First, find out the UID number your process is running as.
Then you can tell Kubernetes to chown (sort of) the mount point of the volume for your pod by adding .spec.securityContext.fsGroup:
spec:
...
securityContext:
fsGroup: 2000
fsGroup: integer: A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume.
I also faced same issue in GKE environment. securityContext is not fixing permission issue. Here i what i have done.
Create a non-root user in Dockerfile and grant necessary permission to directories.
RUN adduser -s /bin/sh -u 1100 --disabled-password foo
RUN apk add sudo
RUN mkdir /app
RUN mkdir /app/logs
RUN chown -R foofoo /app /app/logs
RUN chmod -R 777 /app/logs/
USER foo
WORKDIR /app
Mount the PVC into pod in the deployment yaml file
Create the same user in GKE worker node and grant the necessary permission to mount the path.
/var/lib/docker/volumes/47aa3xxxxxxxxxxxxxxxxxxxx19dc2c864ed99676b/_data
I have a problem whith my installation of docker. When I launch my docker-compose up I have this error :
front_1 | /var/lock/apache2 already exists but is not a directory owned by www-data.
front_1 | Please fix manually. Aborting.
I have this error because I add this line in my dockerfile conf :
RUN usermod -u 1000 www-data
But if I delete this line, my symfony project doesn't work with docker.
Do you have any ideas to solve my problem ?
Best regards
As I see it, you are trying to change UID of user www-data inside docker to have the same ID as host machine user UID (you), so you can open project files in your IDE.
This introduces file permissions problems on apache2 service, which can't read it's own files (config, pid,...), simply because it is not the same user anymore.
Quick 'dirty' solution is to change only owner of symfony project files to UID 1000, but keep group (GID) to the www-data. This applies only for dev machine. Else you don't needed it. Run command inside container.
chown -R 1000:www-data /home/project
You can create some bash alias inside docker to have it at hand.
Other option is to use ACL which will set existing files and folder with permissions, which will get inherited to newly created files under given folder. This could be put to bootstrap script inside container. But only for DEV mode. This way you won't need to run chown.
chown -R 1000:www-data /home/project #set for existing files
/usr/bin/setfacl -R -m u:www-data:rwx -m u:0:rwx -m u:1000:rwx /home/project
/usr/bin/setfacl -dR -m u:www-data:rwx -m u:0:rwx -m u:1000:rwx /home/project
Each -m is for a different user. First is www-data (apache2), second is 0 (root) and third is 1000 (you).
Remember UID can change anytime. So this could create security hole if mentioned users are not having proper UID.
I used second method only for folders, where PHP via apache2 sets permissions (uploaded files, cache,...), but host user needs to access these files.
I enabled root in terminal by sudo passwd root and then attempted to cd a rails site folder located on my desktop. I got the error -bash: cd: /Users/fred/Desktop/sitefolder: Permission denied
How to get rid of this error/ enable all permissions for root? Thanks
Are you sure you called cd as root?
If yes, check if the owner of the folder is root. If not call
sudo chown /Users/fred/Desktop/sitefolder root
then check if the owner has reading permission. If not call
chmod 744 /Users/fred/Desktop/sitefolder
(this enables all permissions for owner and only reading permission for group and others). If you don't care much about that folder you may instead call directly
sudo chmod 777 /Users/fred/Desktop/sitefolder
giving all permissions to every user.