9:52 a.m.
I've got a rootless, quadlet-based container running with an unprivileged local user
called "app", with UID 1017 and GID 1020.
In addition, this user belongs to group IDs 1002 ("sftp-only") and 1003
("sftp-reader").
There's a host directory /srv/sftp-home, owned by root with its group set to
sftp-only, 0750 permissions. It has a bunch of subdirectories, owned by individual SFTP
connecting users, but with the group set to sftp-reader on all of them, 0750 permissions
also.
The app user is able to read all of these directories via the host group membership.
In the quadlet config for the service running as this user, I have these lines:
[Container]
# container root is my host "app" user
UIDMap=0:0:1
# For apt-get to work inside the container
UIDMap=42:1:1
# container root group is my host "app" group
GIDMap=0:0:1
# For apt-get to work inside the container
GIDMap=65534:1:1
# Probably irrelevant here, but mentioned just in case
NoNewPrivileges=true
Mount=type=bind,source=/srv/sftp-home,target=/srv/sftp-home
All other quadlet file contents have been omitted here, but there should be nothing else
that's related to this issue there.
Within the container, the bind mounted /srv/sftp-home is owned by nobody:nogroup, and the
in-container root user is unable to access them despite the underlying host user being
able to access the bind mount source directory.
What can be done to fix this? Podman version 5.2.5.