Comments (11)
giuseppe
commented on August 20, 2024
1
opened a PR: #408
from fuse-overlayfs.
rhatdan
commented on August 20, 2024
@giuseppe PTAL
from fuse-overlayfs.
sb604
commented on August 20, 2024
@giuseppe thx for providing the PR. It indeed fixes the described issue. But there seems to be more to it:
TL;DR: syscall mkdir("/foobar", 0700) results in new directory with permissions 0755 which shouldn't be.
I stumbled upon this issue while setting up a samba container (ghcr.io/servercontainers/samba:smbd-only-latest) using a network share as graphroot. Then I boiled it down to the described minimal reproducible example. This example is working now. But the issue with my samba container ist still there.
To be clear: without force_mask=0700 it is working.
Using force_mask=0700 leads to this error while starting the smbd daemon:
[2023/10/30 15:25:08.517288, 0] ../../source3/smbd/server.c:1746(main)
smbd version 4.18.5 started.
Copyright Andrew Tridgell and the Samba Team 1992-2023
[2023/10/30 15:25:08.519327, 0] ../../lib/util/util.c:345(directory_create_or_exist_strict)
invalid permissions on directory '/var/lib/samba/private/msg.sock': has 0755 should be 0700
directory contents before starting smbd:
/ # ls -l /var/lib/samba/private
total 424
-rw------- 1 root root 430080 Oct 30 16:12 secrets.tdb
-rw------- 1 root root 106 Oct 30 16:12 smbpasswd
after trying to start smbd:
/ # ls -l /var/lib/samba/private
total 424
drwxr-xr-x 2 root root 42 Oct 30 15:27 msg.sock
-rw------- 1 root root 430080 Oct 30 15:26 secrets.tdb
-rw------- 1 root root 106 Oct 30 15:26 smbpasswd
STRACE
/ # apk add strace
/ # strace smbd --foreground
[...]
umask(000) = 000
mkdir("/var/lib/samba/private/msg.sock", 0700) = 0
umask(000) = 000
lstat("/var/lib/samba/private/msg.sock", {st_mode=S_IFDIR|0755, st_size=42, ...}) = 0
geteuid() = 0
writev(3, [{iov_base="[2023/10/30 15:28:36.223197, 0]"..., iov_len=93}, {iov_base=" invalid permissions on directo"..., iov_len=94}], 2[2023/10/30 15:28:36.223197, 0] ../../lib/util/util.c:345(directory_create_or_exist_strict)
invalid permissions on directory '/var/lib/samba/private/msg.sock': has 0755 should be 0700
) = 187
[...]
It appears smbd tries to create /var/lib/samba/private/msg.sock with 0700 but gets 0755 instead.
I tried to recreate this by using mkdir -m 700 foobar but strace reveals that mkdir -m uses mkdir(3) followed by chmod(3). This is working.
So I did it the hard way:
# apk add vim
# apk add alpine-sdk
# vim main.c
#include <sys/stat.h>
void main() {
mkdir("/foobar", 0700);
}/ # gcc main.c
/ # rmdir foobar/
/ # strace ./a.out
execve("./a.out", ["./a.out"], 0x7ffe700c1820 /* 11 vars */) = 0
arch_prctl(ARCH_SET_FS, 0x7fbe4e611b48) = 0
set_tid_address(0x7fbe4e611fb8) = 186
brk(NULL) = 0x562caf6d1000
brk(0x562caf6d3000) = 0x562caf6d3000
mmap(0x562caf6d1000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x562caf6d1000
mprotect(0x7fbe4e60e000, 4096, PROT_READ) = 0
mprotect(0x562cad79a000, 4096, PROT_READ) = 0
mkdir("/foobar", 0700) = 0
exit_group(0) = ?
+++ exited with 0 +++
# ls -l
drwxr-xr-x 2 root root 42 Oct 30 15:38 foobar
The created directory should have permissions set to 0700. But it doesn't. ¯\(ツ)/¯
This is with using the fuse-overlayfs version from the PR (https://github.com/containers/fuse-overlayfs/actions/runs/6689710902#artifacts).
And some bonus info:
#include <sys/stat.h>
#include <fcntl.h>
void main() {
mkdir("/foobar", 0777);
open("/foobar.txt", O_CLOEXEC|O_CREAT, 0600);
}-rw------- 1 root root 0 Oct 30 16:02 foobar.txt
So it seams to work for files. At least with open()
from fuse-overlayfs.
giuseppe
commented on August 20, 2024
thanks for the extra information. Could you check if #409 solves the problem with directories?
from fuse-overlayfs.
sb604
commented on August 20, 2024
EDIT: I messed something up in an earlier version of this comment. Just re-read it.
The problem regarding creating new directories described above is now solved. But there is more:
no force_mask, works as is should:
$ podman run --name samba --rm -it --entrypoint=/bin/sh ghcr.io/servercontainers/samba:smbd-only-latest
/ # ls -l /var/lib/
drwxr-xr-x 5 root root 51 Oct 5 13:56 samba
/ # adduser -D -H -u "1000" -s /bin/false "testaccount"
/ # smbpasswd -a -n "testaccount"
/ # ls -l /var/lib/
drwxr-xr-x 5 root root 72 Oct 31 09:13 samba
with foce_mask=0700 (fuse-overlayfs from #409)
$ podman run --name samba --rm -it --entrypoint=/bin/sh ghcr.io/servercontainers/samba:smbd-only-latest
/ # ls -l /var/lib/
drwxr-xr-x 5 root root 51 Oct 5 13:56 samba
/ # adduser -D -H -u "1000" -s /bin/false "testaccount"
/ # smbpasswd -a -n "testaccount"
/ # ls -l /var/lib/
drwx------ 5 root root 72 Oct 31 09:09 samba
What's difference? The directory /var/lib/samba changes permissions from 0755 to 0700 after calling smbpasswd. But it should not be changed. Without force_mask it doesn't change.
I was able to reproduce it by doing this:
#include <fcntl.h>
void main() {
open("/var/lib/samba/private/foobar.txt", O_RDWR|O_CREAT|O_LARGEFILE|O_CLOEXEC, 0600);
}/ # ls -l /var/lib/
total 0
drwxr-xr-x 2 root root 6 Sep 28 11:18 apk
drwxr-xr-x 2 root root 6 Sep 28 11:18 misc
drwxr-xr-x 5 root root 51 Oct 5 13:56 samba
drwxr-xr-x 2 root root 6 Sep 28 11:18 udhcpd
/ # gcc main.c
/ # strace ./a.out
execve("./a.out", ["./a.out"], 0x7fff021d20a0 /* 7 vars */) = 0
arch_prctl(ARCH_SET_FS, 0x7fa521600b48) = 0
set_tid_address(0x7fa521600fb8) = 27
brk(NULL) = 0x56067cbf0000
brk(0x56067cbf2000) = 0x56067cbf2000
mmap(0x56067cbf0000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x56067cbf0000
mprotect(0x7fa5215fd000, 4096, PROT_READ) = 0
mprotect(0x56067b367000, 4096, PROT_READ) = 0
open("/var/lib/samba/private/foobar.txt", O_RDWR|O_CREAT|O_LARGEFILE|O_CLOEXEC, 0600) = 3
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
exit_group(3) = ?
+++ exited with 3 +++
ls -l /var/lib/
/ # ls -l /var/lib/
total 0
drwxr-xr-x 2 root root 6 Sep 28 11:18 apk
drwxr-xr-x 2 root root 6 Sep 28 11:18 misc
drwx------ 5 root root 21 Oct 31 11:30 samba
drwxr-xr-x 2 root root 6 Sep 28 11:18 udhcpd
Creating a new file under /var/lib/samba/private changes permissions of /var/lib/samba....
from fuse-overlayfs.
sb604
commented on August 20, 2024
@rhatdan Would it make sense to re-open this issue as it is clearly not solved yet?
from fuse-overlayfs.
giuseppe
commented on August 20, 2024
thanks for the additional feedback. Opened a new PR: #410
from fuse-overlayfs.
sb604
commented on August 20, 2024
It's still not working:
with out force_mask
/ # /container/scripts/entrypoint.sh
/ # smbd -i --foreground
smbd version 4.18.5 started.
Copyright Andrew Tridgell and the Samba Team 1992-2023
INFO: Profiling support unavailable in this build.
daemon_status: daemon 'smbd' : Starting process ...
startsmbfilepwent_internal: file /var/lib/samba/private/smbpasswd did not exist. File successfully created.
^C
/ # ls -l /var/run/samba/ncalrpc/
total 0
drwx------ 2 root root 26 Nov 2 09:17 np
with force_mask=0700
$ podman run --name samba --rm -it --entrypoint=/bin/sh ghcr.io/servercontainers/samba:smbd-only-latest
/ # apk add strace
/ # ls -l /var/run/samba/
total 0
/ # /container/scripts/entrypoint.sh
/ # strace smbd -i --foreground
smbd version 4.18.5 started.
Copyright Andrew Tridgell and the Samba Team 1992-2023
INFO: Profiling support unavailable in this build.
daemon_status: daemon 'smbd' : Starting process ...
startsmbfilepwent_internal: file /var/lib/samba/private/smbpasswd did not exist. File successfully created.
invalid permissions on directory '/var/run/samba/ncalrpc/np': has 0755 should be 0700
Failed to create pipe directory /var/run/samba/ncalrpc/np - File exists
[...]
umask(000) = 000
mkdir("/var/run/samba/ncalrpc", 0755) = 0
umask(000) = 000
geteuid() = 0
umask(000) = 000
mkdir("/var/run/samba/ncalrpc/np", 0700) = 0
umask(000) = 000
lstat("/var/run/samba/ncalrpc/np", {st_mode=S_IFDIR|0755, st_size=26, ...}) = 0
[...]
/ # strace stat /var/run/samba/ncalrpc/np
execve("/bin/stat", ["stat", "/var/run/samba/ncalrpc/np"], 0x7fff460424f8 /* 7 vars */) = 0
arch_prctl(ARCH_SET_FS, 0x7ff78a7d8b48) = 0
set_tid_address(0x7ff78a7d8fb8) = 49
brk(NULL) = 0x557c8babd000
brk(0x557c8babf000) = 0x557c8babf000
mmap(0x557c8babd000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x557c8babd000
mprotect(0x7ff78a7d5000, 4096, PROT_READ) = 0
mprotect(0x557c8ac69000, 16384, PROT_READ) = 0
getuid() = 0
lstat("/var/run/samba/ncalrpc/np", {st_mode=S_IFDIR|0700, st_size=26, ...}) = 0
/ # ls -l /var/run/samba/
total 4
drwxr-xr-x 3 root root 52 Nov 2 09:14 ncalrpc
-rw-r--r-- 1 root root 3 Nov 2 09:14 smbd.pid
/ # ls -l /var/run/samba/ncalrpc/
total 0
drwx------ 2 root root 26 Nov 2 09:14 np
smbd creates /var/run/samba/ncalrpc/npwith 0700 but lstat() comes back with 0755 immediatly after creation. Running staton the shell then gives the correct result.
from fuse-overlayfs.
sb604
commented on August 20, 2024
I was able to reproduce this:
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <stdio.h>
void main() {
struct stat sb;
mkdir("/var/run/samba/ncalrpc/foobar", 0700);
lstat("/var/run/samba/ncalrpc/foobar", &sb);
printf("Mode: %lo (octal)\n", (unsigned long) sb.st_mode);
}/ # strace ./a.out
execve("./a.out", ["./a.out"], 0x7ffe36bde770 /* 7 vars */) = 0
arch_prctl(ARCH_SET_FS, 0x7fd2c5be7b48) = 0
set_tid_address(0x7fd2c5be7fb8) = 115
brk(NULL) = 0x56205faa4000
brk(0x56205faa6000) = 0x56205faa6000
mmap(0x56205faa4000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x56205faa4000
mprotect(0x7fd2c5be4000, 4096, PROT_READ) = 0
mprotect(0x56205eaf5000, 4096, PROT_READ) = 0
mkdir("/var/run/samba/ncalrpc/foobar", 0700) = 0
lstat("/var/run/samba/ncalrpc/foobar", {st_mode=S_IFDIR|0755, st_size=26, ...}) = 0
ioctl(1, TIOCGWINSZ, {ws_row=70, ws_col=237, ws_xpixel=32766, ws_ypixel=0}) = 0
writev(1, [{iov_base="Mode: 40755", iov_len=11}, {iov_base=" (octal)\n", iov_len=9}], 2Mode: 40755 (octal)
) = 20
exit_group(0) = ?
+++ exited with 0 +++
/ # ls -l /var/run/samba/ncalrpc/
total 0
drwx------ 2 root root 26 Nov 2 09:37 foobar
drwx------ 2 root root 26 Nov 2 09:19 np
what is even more interresting:
/ # stat /var/run/samba/ncalrpc/foobar
File: /var/run/samba/ncalrpc/foobar
Size: 26 Blocks: 0 IO Block: 4096 directory
Device: 35h/53d Inode: 672490 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2023-11-02 09:40:22.351640341 +0000
Modify: 2023-11-02 09:40:22.351640341 +0000
Change: 2023-11-02 09:40:22.351640341 +0000
/ # ls -l /var/run/samba/ncalrpc/
total 0
drwx------ 2 root root 26 Nov 2 09:40 foobar
drwx------ 2 root root 26 Nov 2 09:19 np
Now foobar is 0755 and 0700 at the same time. As it turns out /var/run is a symlink to /run. Here we get the correct results:
So I guess symlinks are not handled correctly.
# ls -l /run/samba/ncalrpc/
total 0
drwx------ 2 root root 26 Nov 2 09:40 foobar
drwx------ 2 root root 26 Nov 2 09:19 np
# stat /run/samba/ncalrpc/np/
File: /run/samba/ncalrpc/np/
Size: 26 Blocks: 0 IO Block: 4096 directory
Device: 35h/53d Inode: 3168480 Links: 2
Access: (0700/drwx------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2023-11-02 09:19:59.495178941 +0000
Modify: 2023-11-02 09:19:59.495178941 +0000
Change: 2023-11-02 09:19:59.495178941 +0000
from fuse-overlayfs.
giuseppe
commented on August 20, 2024
thanks, added a new patch to the open PR.
I've tried running your container image and it seems to work fine now:
$ podman run --name samba --rm -it ghcr.io/servercontainers/samba:smbd-only-latest
################################################################################
Welcome to the ghcr.io/servercontainers/samba
################################################################################
You'll find this container sourcecode here:
https://github.com/ServerContainers/samba
The container repository will be updated regularly.
################################################################################
mkdir: can't create directory '/var/run/samba': File exists
>> CONTAINER: starting initialisation
cp: can't stat '/container/config/avahi/samba.service': No such file or directory
>> SAMBA CONFIG: no $SAMBA_CONF_LOG_LEVEL set, using '1'
>> SAMBA CONFIG: no $SAMBA_CONF_WORKGROUP set, using 'WORKGROUP'
>> SAMBA CONFIG: no $SAMBA_CONF_SERVER_STRING set, using 'Samba Server'
>> SAMBA CONFIG: no $SAMBA_CONF_MAP_TO_GUEST set, using 'Bad User'
>> AVAHI: zeroconf model: TimeCapsule
/container/scripts/entrypoint.sh: line 157: can't create /etc/avahi/services/samba.service: nonexistent directory
>> ZEROCONF: samba.service file
############################### START ####################################
cat: can't open '/etc/avahi/services/samba.service': No such file or directory
################################ END #####################################
>> EXTERNAL AVAHI: found external avahi, now maintaining avahi service file 'samba.service'
>> EXTERNAL AVAHI: internal avahi gets disabled
cp: can't stat '/etc/avahi/services/samba.service': No such file or directory
chmod: /external/avahi/samba.service: No such file or directory
>> EXTERNAL AVAHI: list of services
ls: /external/avahi/*.service: No such file or directory
>> SAMBA: check smb.conf file using 'testparm -s'
############################### START ####################################
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)
Server role: ROLE_STANDALONE
# Global parameters
[global]
dns proxy = No
load printers = No
log file = /dev/stdout
map to guest = Bad User
obey pam restrictions = Yes
passdb backend = smbpasswd
printcap name = /dev/null
security = USER
server role = standalone server
server string = Samba Server
smb1 unix extensions = No
fruit:aapl = yes
fruit:model = TimeCapsule
idmap config * : backend = tdb
acl allow execute always = Yes
vfs objects = catia fruit streams_xattr
wide links = Yes
############################### END ####################################
>> SAMBA: print whole smb.conf
############################### START ####################################
[global]
server role = standalone server
log file = /dev/stdout
dns proxy = no
# password stuff
passdb backend = smbpasswd
obey pam restrictions = yes
security = user
printcap name = /dev/null
load printers = no
dns proxy = no
wide links = yes
follow symlinks = yes
unix extensions = no
acl allow execute always = yes
# MacOS Compatibility options
vfs objects = catia fruit streams_xattr
# Special configuration for Apple's Time Machine
fruit:model = TimeCapsule
fruit:aapl = yes
# Docker Envs global config options
log level = 1
workgroup = WORKGROUP
server string = Samba Server
map to guest = Bad User
############################### END ####################################
>> CMD: exec docker CMD
runsvdir -P /container/config/runit
+ + sleepsleep 2 6
+ exec smbd --foreground
[2023/11/02 00:52:22.821783, 0] ../../source3/smbd/server.c:1746(main)
smbd version 4.18.5 started.
Copyright Andrew Tridgell and the Samba Team 1992-2023
[2023/11/02 00:52:22.825254, 1] ../../source3/profile/profile_dummy.c:30(set_profile_level)
INFO: Profiling support unavailable in this build.
[2023/11/02 00:52:22.856029, 0] ../../source3/passdb/pdb_smbpasswd.c:249(startsmbfilepwent)
startsmbfilepwent_internal: file /var/lib/samba/private/smbpasswd did not exist. File successfully created.
+ exec nmbd --foreground
What other tests can I do to make sure it will fix your use case?
from fuse-overlayfs.
sb604
commented on August 20, 2024
Thank you very much @giuseppe my samba container ist working now.
This whole issue got me thinking... I went ahead and looked for some filesystem testsuit and found this: musikid/pjd
Running it on my underlying cephfs results in no errors. Running it on fuse-overlayfs backed by cephfs shows some issues:
Tests: 68 failed, 35 skipped, 282 passed, 385 total
Maybe you wanna look into it and include it in your build pipeline. I can't really judge which of those test cases are even relevant.
from fuse-overlayfs.
Related Issues (20)
- `tar: .: file changed as we read it` with `fuse-overlayfs` HOT 14
- debug help to indentify partial reads on readonly overlay
- kernel crash (task blocked) when using fuse-overlayfs on tmpfs HOT 2
- change fuse-overlayfs license to GPL2 HOT 35
- Calling fuse-overlayfs in a systemd user service fails to mount anything HOT 3
- Mount with fuse-overlayfs is about 7x slower than mount with /usr/bin/mount HOT 3
- wrong inode on entries read by readdir instead of readdirplus
- Unpredictable Behavior when Upperdir is also Mountpoint HOT 5
- Extraneous "/proc seems to be mounted as readonly, it can lead to unexpected failures" HOT 1
- cp's copy_file_range vs read-only files HOT 2
- chown -R on non-empty directory changes mtime
- overlay driver is very slow in podman-in-podman builds with large COPY layer HOT 6
- What are the Supported Options in fuse-overlayfs? HOT 1
- touch: setting times of 'XXX' : No such file or directory
- mkdir with permissions 0555 fails HOT 6
- Make with Fuse 2 HOT 2
- Support running fuse-overlayfs without the open fds 0, 1 and 2
- Does fuse-overlayfs support a fuse filesystem as upperdir? HOT 1
- FUSE Passthrough? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fuse-overlayfs.