Example of the problem:
docker run -ti -v my_passwd:/etc/passwd -v my_shadow:/etc/shadow --rm centos
[root#681a5489f3b0 /]# useradd test # does not work !?
useradd: failure while writing changes to /etc/passwd
[root#681a5489f3b0 /]# ll /etc/passwd /etc/shadow # permission check
-rw-r--r-- 1 root root 157 Oct 8 10:17 /etc/passwd
-rw-r----- 1 root root 100 Oct 7 18:02 /etc/shadow
The similar problem arises when using passwd:
[root#681a5489f3b0 /]# passwd test
Changing password for user test.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: Authentication token manipulation error
I have tried using the ubuntu image, but the same problem arises.
I can manually edit passwd file and shadow file from within container.
I am getting the same problem on following two machines:
Host OS: CentOS 7 - SELinux Disabled
Docker Version: 1.8.2, build 0a8c2e3
Host OS: CoreOS 766.4.0
Docker version: 1.7.1, build df2f73d-dirty
I've also opened issue on GitHub: https://github.com/docker/docker/issues/16857
It's failing because passwd manipulates a temporary file, and then attempts to rename it to /etc/shadow. This fails because /etc/shadow is a mountpoint -- which cannot be replaced -- which results in this error (captured using strace):
102 rename("/etc/nshadow", "/etc/shadow") = -1 EBUSY (Device or resource busy)
You can reproduce this trivially from the command line:
# cd /etc
# touch foo
# mv foo shadow
mv: cannot move 'foo' to 'shadow': Device or resource busy
You could work around this by mounting a directory containing my_shadow and my_passwd somewhere else, and then symlinking /etc/passwd and /etc/shadow in the container appropriately:
$ docker run -it --rm -v $PWD/my_etc:/my_etc centos
[root#afbc739f588c /]# ln -sf /my_etc/my_passwd /etc/passwd
[root#afbc739f588c /]# ln -sf /my_etc/my_shadow /etc/shadow
[root#afbc739f588c /]# ls -l /etc/{shadow,passwd}
lrwxrwxrwx. 1 root root 17 Oct 8 17:48 /etc/passwd -> /my_etc/my_passwd
lrwxrwxrwx. 1 root root 17 Oct 8 17:48 /etc/shadow -> /my_etc/my_shadow
[root#afbc739f588c /]# passwd root
Changing password for user root.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root#afbc739f588c /]#
Related
I can't change a directory's owner even if I'm root.
I want to build a NAS by using raspberry 3B+.
So I have created a user named dorm.
Then I changed sshd_file in order to restrict SFTP users(dorm) to
only visit his home directories
Now the user(dorm) doesn't have the write permission. So After I
google it,I should mkdir a 777 directory at /home/dorm/ .So I made it by root.
Then I wanna change its owner by chown -R dorm:dorm
/home/dorm/Documents. I failed.
Maybe its best to remove the user and try again, this is what I did to make it work.
log into newly setup raspberry pi as pi user, only default logins exist.
pi#raspberrypi:~ $ whoami
pi
pi#raspberrypi:~ $ lslogins -u
UID USER PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS
0 root 84 root
1000 pi 5 15:31 ,,,
add new user dorm
$ sudo adduser dorm
Adding user `dorm' ...
Adding new group `dorm' (1001) ...
Adding new user `dorm' (1001) with group `dorm' ...
Creating home directory `/home/dorm' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for dorm
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
pi#raspberrypi:~ $ lslogins -u
UID USER PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS
0 root 87 root
1000 pi 5 15:31 ,,,
1001 dorm 0 ,,,
make a backup and edit your sshd_config file,
pi#raspberrypi:~ $ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config-bak
pi#raspberrypi:~ $ sudo vim /etc/ssh/sshd_config
pi#raspberrypi:~ $ diff /etc/ssh/sshd_config /etc/ssh/sshd_config-bak
122,128d121
<
< Match User dorm
< X11Forwarding no
< AllowTcpForwarding no
< PermitTTY no
< ForceCommand internal-sftp
< ChrootDirectory /home/dorm
restart ssh service with sudo service sshd restart
change the ownership of the dorm home directory to root.
$ sudo chown root:root /home/dorm
$ sudo chmod 755 /home/dorm
from the dorm user's directory use sudo as the pi user to create the Documents folder and give ownership to the dorm user
pi#raspberrypi:/home/dorm $ ls
pi#raspberrypi:/home/dorm $ mkdir Documents
mkdir: cannot create directory ‘Documents’: Permission denied
pi#raspberrypi:/home/dorm $ sudo mkdir Documents
pi#raspberrypi:/home/dorm $ ls -l
total 4
drwxr-xr-x 2 root root 4096 Feb 8 18:15 Documents
pi#raspberrypi:/home/dorm $ sudo chown -R dorm:dorm Documents
pi#raspberrypi:/home/dorm $ ls -l
total 4
drwxr-xr-x 2 dorm dorm 4096 Feb 8 18:15 Documents
test the connection etc. using your IP address from your host computer (ssh should reply No route to host)
$ sftp dorm#<IP>
dorm#<IP>'s password:
Connected to dorm#<IP>.
sftp>
you can see the created Documents folder and the user number that owns it (dorm's number)
sftp> ls -ltr
drwxr-xr-x 2 1001 1001 4096 Feb 8 18:15 Documents
you can't move out of the base directory
sftp> pwd
Remote working directory: /
sftp> cd ..
sftp> pwd
Remote working directory: /
you can't put files in the base directory as dorm doesn't have permissions. (file path will need to be altered for your system)
sftp> put /Users/<USER>/tmp
Uploading /Users/<USER>/tmp to /tmp
remote open("/tmp"): Permission denied
if you move into Documents then you can then upload files
sftp> cd Documents
sftp> put /Users/<USER>/tmp
Uploading /Users/<USER>/tmp to /Documents/tmp
/Users/<USER>/tmp 100% 0 0.0KB/s 00:00
I'm using slackware 14.2, and i want to create directory public_html in /home/*/ when i create user. I saw there's a file useradd in /etc/default/, but i don't know, if this file should be editing.
Like that:
# mkdir /etc/skel/public_html
# useradd -s /bin/bash -m -d /home/user1 user1
# ls -Al ~user1
total 4
drwxr-xr-x 2 user1 user1 4096 Dec 9 11:43 public_html
here is ls -ld folder_in_question on a host:
lrwxrwxrwx 1 xxx xxx 22 ноя 11 06:40 ../doc -> /mnt/nfs/2600/data/doc
here is ls -ld folder_in_question on from a container:
drwxrwxr-x 3 1002 1002 4096 Nov 11 03:31 /home/xxx/data
I can create and edit files from host, yet when I try say
FROM openjdk:9-jre-slim
#...
RUN adduser --disabled-password --gecos '' xxx
RUN mkdir /home/xxx/data
RUN chown -R xxx:xxx /home/xxx/data
#...
CMD echo "hello" >> /home/xxx/data/test
and run container from my user (as well as from root, default) I get:
sudo docker run -u xxx -it -v /home/xxx/doc:/home/xxx/data x/o:latest
/bin/sh: 1: cannot create /home/xxx/data/test: Permission denied
Same happens if I provide direct path to Docker -v.
How such problem can be solved, what steps shall I take?
On my MacOS laptop I mounted a file in my newly created container using:
docker run --name mediawiki --link mysql:mysql -p 80:80 -v /Users/poiuytrez/Downloads/LocalSettings.php:/var/www/html/LocalSettings.php
--rm poiuytrez/mediawiki:1.25.3
However, apache seems to have issues to read the file. We can learn by running a bash command in the container that the read permissions is not applied for all:
root#078252e20671:/var/www/html# ls -l LocalSettings.php
-rw-r----- 1 1000 staff 4857 Nov 18 15:44 LocalSettings.php
I tried the same process on docker installed on a Linux Debian 8 machine and I am getting:
root#16e34a9b169d:/var/www/html# ls -l LocalSettings.php
-rw-r--r-- 1 www-data www-data 4858 Nov 19 13:32 LocalSettings.php
which is much better for me.
How to add the read permissions for everybody without doing a chmod a+r on boot2docker/dockermachine?
I am using Docker 1.8.3
In docker-machine and boot2docker your /Users directory are mapped inside the virtual-machine at the same path, so when you map the volume like:
-v /Users/poiuytrez/Downloads/LocalSettings.php:/var/www/html/LocalSettings.php
actually is the boot2docker directory that you are mounting inside the container, so there is 2 levels.
You can see that the LocalSettings.php owner does not exist inside the container, so when you ls -l the user id are showing in your case userid 1000 and group staff.
-rw-r----- 1 1000 staff 4857 Nov 18 15:44 LocalSettings.php
1000 staff
Try to see the owner and the permissions inside boot2docker vm with boot2docker ssh or docker-machine ssh <you-machine-name> and ls -l inside it.
Other approach is to add an user with id 1000 inside your container and run your web server as this user.
You can also add a fix-permission.sh script to your container run command.
In Docker roadmap there are some improvements in user namespace to come in the next releases. I saw this article some days ago:
http://integratedcode.us/2015/10/13/user-namespaces-have-arrived-in-docker/
I hope it solves this ownership issues.
LocalSettings.php was -rw-r----- on my Mac. So it was the same in the container...
Good day!
I have a linux sftp server located in VM. This VM has access to a GlusterFS storage, where sftp directories are located. Sftp works via OpenSSH server and chroots sftpusers group to sftp directories on GlusterFS storage. All worked well... After one moment I had got an issue...
Trying to create user:
# useradd -d /mnt/cluster-data/repositories/masters/test-user -G masters,sftpusers -m -s /bin/nologin test-user
Checking:
# cat /etc/passwd | grep test-user
test-user:x:1029:1032::/mnt/cluster-data/repositories/masters/test-user:/bin/nologin
# cat /etc/group | grep test-user
masters:x:1000:test-user
sftpusers:x:1005:test-user
test-user:x:1032:
Doing chown and chmod for home dir by hand:
# chown -R test-user:test-user /mnt/cluster-data/repositories/masters/test-user
# chmod -R 770 /mnt/cluster-data/repositories/masters/test-user
Checking:
# ls -la /mnt/cluster-data/repositories/masters/test-user
итого 16
drwxrwx--- 2 test-user test-user 4096 Окт 27 2013 .
drwxr-xr-x 13 root masters 4096 Окт 27 2013 ..
Adding another user to test-user's group:
# usermod -G test-user -a tarasov-af
# cat /etc/passwd | grep tarasov-af
tarasov-af:x:1028:1006::/mnt/cluster-data/repositories/lecturers/tarasov-af/:/bin/nologin
# cat /etc/group | grep tarasov-af
masters:x:1000:tarasov-af,test-user
sftpusers:x:1005:tarasov-af,test-user
lecturers:x:1006:tarasov-af
specialists:x:1008:tarasov-af
test-user:x:1032:tarasov-af
Login as tarasov-af:
sftp> cd masters/test-user
sftp> ls
remote readdir("/masters/test-user"): Permission denied
sftp> ls -la ..
drwxr-xr-x 13 0 1000 4096 Oct 26 21:30 .
drwxr-xr-x 6 0 0 4096 Oct 2 15:53 ..
drwxrwx--- 2 1029 1032 4096 Oct 26 21:53 test-user
I tried to login as tarasov-af into bash (usermod -s /bin/bash tarasov-af):
$ id
uid=1028 gid=1006
groups=1000,1005,1006,1008,1032
p.s. I guess this issue began after VM disk failed and I've got /etc/passwd and /etc/group broken, I've restored them from backups and all previous accounts works well, I have this issue only with new accounts.
I've found the reason of this issue: user tarasov-af has more than 16 secondary groups, first 15 groups work good, other -- don't work. I've set kernel.ngroups_max = 65535 in sysctl.conf on every computer in cluster (GlusterFS) and on sftp VM but nothing changed.
This issue goes to glusterfs client, it can't manipulate with more than 15 secondary groups.
# glusterfs --version
glusterfs 3.2.7 built on Sep 29 2013 03:28:05