[pkg-lxc-devel] Bug#987293: lxc: unprivileged containers don't have permission to access their configuration files

Celejar celejar at gmail.com
Tue Apr 20 23:27:28 BST 2021 

Package: lxc
Version: 1:4.0.6-1
Severity: normal

The default location for the configuration files of unprivileged
containers created by non-root users seems to be $HOME/.local/share, but
such containers will fail to start, since they don't have permission to
access that directory, since it isn't world accessible.

On this Sid system, $HOME and $HOME/.local are 755, but
$HOME/.local/share is 700. On a Buster system of mine, $HOME is 755, but
the other two are only 700. On both these systems, starting unprivileged
containers fails with something like:

lxc-start: my-container: start.c: print_top_failing_dir: 125 Permission denied - Could not access /home/username/.local/share. Please grant it x access, or add an ACL for the container root
lxc-start: my-container: sync.c: __sync_wait: 62 An error occurred in another process (expected sequence number 3)
lxc-start: my-container: start.c: __lxc_start: 1951 Failed to spawn container "my-container"
lxc-start: my-container: tools/lxc_start.c: main: 330 The container failed to start
lxc-start: my-container: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options

The solution is obviously to grant the appropriate permissions, but I
think this should be handled automatically by the system, or at the very
least, documentation should be added explaining the issue, instead of
requiring users to figure this out on their own.

Here's a suggestion for a paragraph to be added to the "Unprivileged
containers" section of README.Debian:

*****

Unprivileged containers started by non-root users store their
configuration in ~/.local/share, and so must have permission to
access that directory. This can be granted via a command like (assuming
the acl package is installed):

setfacl --modify user:nnnnnnnn:x . .local .local/share

where nnnnnnnn is the subuid mapped to 0 in
~/.config/lxc/default.conf

*****

-- System Information:
Debian Release: 11.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-6-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lxc depends on:
ii  bridge-utils                 1.7-1
ii  debconf [debconf-2.0]        1.5.76
ii  dnsmasq-base [dnsmasq-base]  2.85-1
ii  iproute2                     5.10.0-4
ii  iptables                     1.8.7-1
ii  libc6                        2.31-11
ii  libcap2                      1:2.44-1
ii  libgcc-s1                    10.2.1-6
ii  liblxc1                      1:4.0.6-1
ii  libseccomp2                  2.5.1-1
ii  libselinux1                  3.1-3
ii  lsb-base                     11.1.0

Versions of packages lxc recommends:
ii  apparmor       2.13.6-10
ii  debootstrap    1.0.123
ii  dirmngr        2.2.27-1
ii  gnupg          2.2.27-1
pn  libpam-cgfs    <none>
ii  lxc-templates  3.0.4-5
pn  lxcfs          <none>
ii  openssl        1.1.1k-1
ii  rsync          3.2.3-4
ii  uidmap         1:4.8.1-1
ii  wget           1.21-1+b1

Versions of packages lxc suggests:
ii  btrfs-progs  5.10.1-1
ii  lvm2         2.03.11-2.1
pn  python3-lxc  <none>

-- debconf information:
  lxc/auto_update_config:

More information about the Pkg-lxc-devel mailing list