Moderator: BarryK
In the container bookworm (for example), it is possible to create a file in the /tmp directory but the change of owner or group is not permitted.
I would like to understand why and above all know how to modify this behavior.
I try to make a container with the nix package manager but it don't work because it can't change ownership on a temporary files (a file in /mnt/wkg/containers/nix/container/tmp) although it runs as root.
Thanks.
You can do it from "outside", that is, as the root user.
Inside the container, it is running as "crippled root".
For example of the bookworm container, go to /mnt/.easy_rw/bookworm/tmp
...that's for the case of running in ram. If doing direct writes to the drive, go to /mnt/wkg/containers/.session
BarryK wrote: ↑Wed Jul 12, 2023 1:48 amYou can do it from "outside", that is, as the root user.
Inside the container, it is running as "crippled root".For example of the bookworm container, go to /mnt/.easy_rw/bookworm/tmp
...that's for the case of running in ram. If doing direct writes to the drive, go to /mnt/wkg/containers/.session
Thanks for the answer.
In my attempt, it's the program inside the container that needs to change the ownership of a file in /tmp
"crippled root" is like a non-root user, it has limitations for security reasons.
Unable to change owner:group is one of them.
You can run a container with less security, but then all you are getting is isolation from the main filesystem but without the security.
If you click "setup" icon, choose EasyOS -> Easy Containers, you can change the security settings.
Note that some of those settings haven't been debugged. As I seem to recall, the least-secure, which is hardly any security, does work.
BarryK wrote: ↑Wed Jul 12, 2023 11:37 pmYou can run a container with less security, but then all you are getting is isolation from the main filesystem but without the security.
If you click "setup" icon, choose EasyOS -> Easy Containers, you can change the security settings.
Note that some of those settings haven't been debugged. As I seem to recall, the least-secure, which is hardly any security, does work.
Found in /usr/local/easy_containers/ec-chroot, line 486 :
[ "$EC_CAP_file" == "true" ] && cOPTS="${cOPTS}-chown,-kill,-dac_override,-dac_read_search,-fowner,-setfcap,-setpcap,"
Choose EC_CAP_FILE =true drops the capability of change ownership ("-chown" in the line)
For my test, in Easy Containers, tab Expert, I've uniticked the file box and now chown works. Thanks again !
