Conflicts between Posix permissions and ACLs

Neurrone · May 6, 2024, 3:20pm

Hi,

I’ve just migrated my data from a Synology DS918+ that abruptly died and am trying to grapple with the much more complex permissions model.

I’m attempting to run containers with Podman in a jailmaker. I thought the best practice was having a user per container so that each container has access to only what it needs to. Hence, I have the following data set structure:

podman
  data
    traefik
    Plex
    ...
  stacks

So each container gets its own data set. They use the NFSV4 ACL.

I created a podman user that maps to a non-root user in the jail that I use to run my containers, similar to this comment from Jailmaker discussions. It owns the podman data set, everything works as expected there.

I created a traefik user and granted access to it via ACL to the traefik dataset only. My intention was to use the mapped uid of that user as the user for the container. However when I try accessing the data as that user via SSH in the jail, it has no access despite the ACLs being set.

Do ACLs that grant other users access outside the standard Posix permissions not get respected on the command line? If not, what is the usual practice for having separate users for containers?

I’m generally extremely confused by how the different types of permissions interact, and the documentation doesn’t explain this.

Jip-Hop · May 18, 2024, 9:56am

Did you manage to figure it out? Perhaps try posting in the jailmaker discussion section on GitHub or the main jailmaker thread on this forum. I think you’ll get more response that way.

Stux · May 20, 2024, 11:04pm

In my experience the Unix permissions are needed for jails.

Not saying it won’t work with ACLs, but I’ve found success by ensuring the user/group permissions are set as desired, and with the correct ACL passthrough.

Neurrone · May 22, 2024, 9:01am

Thanks, I figured it out after posting to the Jailmaker discussions section.

The problem was I was attempting to do user namespacing for more security. I made the mistake of trying to use the rootless Podman template, which made it even more confusing as there were multiple layers of indirection.

What worked was using normal Docker with user namespacing on the jail, and ensuring that both the user and group id of the user I created on the host maps correctly to the user and group that I’m running the docker container as.