You are running into a namespace mapping issue, to your edit, I don't know anyone that uses secondary groups with bind mounts. Your host user may have access, but your container isn't "running" as your host user, it is running as a user within your subuid/subuid range that then gets mapped to your user as configured.

On Tuesday, Jan 21, 2025 at 5:54 PM, JK Laiho <jklaiho(a)iki.fi (mailto:jklaiho@iki.fi)> wrote: I've got a rootless, quadlet-based container running with an unprivileged local user called "app", with UID 1017 and GID 1020. In addition, this user belongs to group IDs 1002 ("sftp-only") and 1003 ("sftp-reader"). There's a host directory /srv/sftp-home, owned by root with its group set to sftp-only, 0750 permissions. It has a bunch of subdirectories, owned by individual SFTP connecting users, but with the group set to sftp-reader on all of them, 0750 permissions also. The app user is able to read all of these directories via the host group membership. In the quadlet config for the service running as this user, I have these lines: [Container] # container root is my host "app" user UIDMap=0:0:1 # For apt-get to work inside the container UIDMap=42:1:1 # container root group is my host "app" group GIDMap=0:0:1 # For apt-get to work inside the container GIDMap=65534:1:1 # Probably irrelevant here, but mentioned just in case NoNewPrivileges=true Mount=type=bind,source=/srv/sftp-home,target=/srv/sftp-home All other quadlet file contents have been omitted here, but there should be nothing else that's related to this issue there. Within the container, the bind mounted /srv/sftp-home is owned by nobody:nogroup, and the in-container root user is unable to access them despite the underlying host user being able to access the bind mount source directory. What can be done to fix this? Podman version 5.2.5. _______________________________________________ Podman mailing list -- podman(a)lists.podman.io To unsubscribe send an email to podman-leave(a)lists.podman.io