← Back to team overview

touch-packages team mailing list archive

[Bug 1367730] [NEW] container root directory has broken permissions with tight umask and --keep-data

 

Public bug reported:

While fixing autopkgtest for tight umasks
(http://bugs.debian.org/761049) I noticed that LXC fails under tight
umasks, too:

$ sudo -i
# umask 077
# lxc-start-ephemeral --keep-data -o adt-utopic
[... boots ... ]
adt-utopic-9x0b7tw_ login: ubuntu
Password:
Welcome to Ubuntu Utopic Unicorn (development branch) (GNU/Linux 3.16.0-14-generic x86_64)

 * Documentation:  https://help.ubuntu.com/
Unable to cd to '/home/ubuntu'

then it fails and goes back to the login prompt. This is because of

$ sudo lxc-attach -n adt-utopic-9x0b7tw_
root@adt-utopic-9x0b7tw_:/# ls -ld /
drwx------ 1 root root 4096 Sep 10 14:23 /

apparently the container overlay root directory is created with the host
umask, and thus any non-root process in the container can't execute
anything due to / having 0700 permissions only.

This is with LXC 1.1.0~alpha1-0ubuntu4 under current Utopic.

** Affects: lxc (Ubuntu)
     Importance: Low
         Status: New

** Changed in: lxc (Ubuntu)
   Importance: Undecided => Low

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1367730

Title:
  container root directory has broken permissions with tight umask and
  --keep-data

Status in “lxc” package in Ubuntu:
  New

Bug description:
  While fixing autopkgtest for tight umasks
  (http://bugs.debian.org/761049) I noticed that LXC fails under tight
  umasks, too:

  $ sudo -i
  # umask 077
  # lxc-start-ephemeral --keep-data -o adt-utopic
  [... boots ... ]
  adt-utopic-9x0b7tw_ login: ubuntu
  Password:
  Welcome to Ubuntu Utopic Unicorn (development branch) (GNU/Linux 3.16.0-14-generic x86_64)

   * Documentation:  https://help.ubuntu.com/
  Unable to cd to '/home/ubuntu'

  then it fails and goes back to the login prompt. This is because of

  $ sudo lxc-attach -n adt-utopic-9x0b7tw_
  root@adt-utopic-9x0b7tw_:/# ls -ld /
  drwx------ 1 root root 4096 Sep 10 14:23 /

  apparently the container overlay root directory is created with the
  host umask, and thus any non-root process in the container can't
  execute anything due to / having 0700 permissions only.

  This is with LXC 1.1.0~alpha1-0ubuntu4 under current Utopic.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1367730/+subscriptions


Follow ups

References