Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mount --bind mount: permission denied #60

Closed
sijnc opened this issue Dec 22, 2016 · 10 comments
Closed

mount --bind mount: permission denied #60

sijnc opened this issue Dec 22, 2016 · 10 comments

Comments

@sijnc
Copy link

sijnc commented Dec 22, 2016

I worked around this by setting:

securityContext: privileged: true

in the Kubernetes container spec to enable docker --privileged, can you comment on the security implications of doing this and are there any other workarounds for mount --bind that don't require --privileged?

Thanks

@pmblatino
Copy link

@sijnc hey can you show me your .yaml file, im also trying to run it on kubernetes

@joshudev
Copy link

+1 What's the best practice for this?

@atmoz
Copy link
Owner

atmoz commented Jun 24, 2017

I haven't researched this enough to know how to do it another way or what security implications it has.

Would appreciate if someone could share some knowledge on this!

@arkan
Copy link

arkan commented Sep 28, 2017

While trying to make https://github.com/atmoz/sftp#bindmount-dirs-from-another-location working I also experienced the same issue.

However it's not necessary to use privileged: true to solve the issue, and we can only use --cap-add=SYS_ADMIN which only adds the requested permission.

For more information about this you can read the official documentation here https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities and an interesting stackoverflow answer here https://stackoverflow.com/questions/36553617/how-do-i-mount-bind-inside-a-docker-container

Hope it helps.

@atmoz
Copy link
Owner

atmoz commented Sep 29, 2017

Thank you @arkan!

I will add instructions to the readme

@atmoz atmoz closed this as completed Sep 29, 2017
@bkraul
Copy link

bkraul commented Nov 20, 2019

Can anyone help on this, using docker compose? I am using the cap_add: section, and I am still getting the error permission denied. This is what my docker compose looks like (minus private info, of course)

version: '2.4'
services:
  sftp:
    image: atmoz/sftp
    restart: always
    cap_add:
      - SYS_ADMIN
    ports:
      - '22001:22'
    volumes:
      # generated host keys.
      - ~/docker-persist/sftp/keys/host/ssh_host_ed25519_key:/etc/ssh/ssh_host_ed25519_key
      - ~/docker-persist/sftp/keys/host/ssh_host_rsa_key:/etc/ssh/ssh_host_rsa_key
      # authorized public keys.
      - ~/docker-persist/sftp/keys/authorized/bkraul/id_rsa.pub:/home/bkraul/.ssh/keys/id_rsa.pub:ro
      # users file
      - ~/docker-persist/sftp/users.conf:/etc/sftp/users.conf:ro
      # data directories.
      - ~/docker-persist/myfolder:/data/myfolder 
      # bind mounts script
      - ~/docker-persist/sftp/bindmounts.sh:/etc/sftp.d/bindmounts.sh

This is what the log says:

[/entrypoint] Running /etc/sftp.d/bindmounts.sh ...
mount: mount /data/myfolder on /home/bkraul/myfolder  failed: Permission denied
/entrypoint: Error on line 81: $f

UPDATE: This seems to work using privileged: true. So apparently SYS_ADMIN is not enough?

@FullStackAlex
Copy link

Running privileged containers or with sys_admin is a security risk according to the O'Reilly book "Container Security" and those blogs:
https://ericchiang.github.io/post/privileged-containers/
https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/

Both disable the isolation of a container according to those sources.

@bkraul
Copy link

bkraul commented May 27, 2021

This is still a problem with swarm. Swarmed environments do not support privileged, and using cap_add with SYS_ADMIN does not work, as the binds still fail. Is there any other particular capability that can be added for this to work? (swarm now supports caps).

@Arcitec
Copy link

Arcitec commented Dec 29, 2021

I was going crazy trying to bind a mounted external drive to a path inside the image via podman.

I could see the folder in the SFTP client, but always got "permission denied" when entering the folder.

Finally, --privileged worked. --cap-add=SYS_ADMIN doesn't work.

I also had to run podman itself as sudo...

Basically, I had to do this:

sudo podman run \
    --privileged \
    -v /my/external/drives/mountpoint/Upload:/home/foo/data \
    -p 2222:22 -d atmoz/sftp \
    foo:pass:1000

Would love to run it with lower privileges but nothing I tried works. Does anyone have any more surgical/precise solution to fix the permissions without using --privileged?

@jobggun
Copy link

jobggun commented Jul 9, 2023

I was going crazy trying to bind a mounted external drive to a path inside the image via podman.

I could see the folder in the SFTP client, but always got "permission denied" when entering the folder.

Finally, --privileged worked. --cap-add=SYS_ADMIN doesn't work.

I also had to run podman itself as sudo...

Basically, I had to do this:

sudo podman run \
    --privileged \
    -v /my/external/drives/mountpoint/Upload:/home/foo/data \
    -p 2222:22 -d atmoz/sftp \
    foo:pass:1000

Would love to run it with lower privileges but nothing I tried works. Does anyone have any more surgical/precise solution to fix the permissions without using --privileged?

@Arcitec
With SYS_ADMIN capability and apparmor profile with mount allowed, you can fix permissions without using --privileged

Example of my apparmor profile:

#include <tunables/global>

profile docker-sftp flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>

  network,
  capability,
  file,
  umount,

  mount options=(rw, ro, bind, rbind),

  deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,
  deny @{PROC}/sysrq-trigger rwklx,
  deny @{PROC}/mem rwklx,
  deny @{PROC}/kmem rwklx,
  deny @{PROC}/kcore rwklx,

  deny /sys/[^f]*/** wklx,
  deny /sys/f[^s]*/** wklx,
  deny /sys/fs/[^c]*/** wklx,
  deny /sys/fs/c[^g]*/** wklx,
  deny /sys/fs/cg[^r]*/** wklx,
  deny /sys/firmware/efi/efivars/** rwklx,
  deny /sys/kernel/security/** rwklx,
}

I hope it is helpful for you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

9 participants