mount --bind mount: permission denied

[sijnc]

I worked around this by setting:

securityContext: privileged: true

in the Kubernetes container spec to enable docker --privileged, can you comment on the security implications of doing this and are there any other workarounds for mount --bind that don't require --privileged?

Thanks

[pmblatino]

@sijnc hey can you show me your .yaml file, im also trying to run it on kubernetes

[joshudev]

+1 What's the best practice for this?

[atmoz]

I haven't researched this enough to know how to do it another way or what security implications it has.

Would appreciate if someone could share some knowledge on this!

[arkan]

While trying to make https://github.com/atmoz/sftp#bindmount-dirs-from-another-location working I also experienced the same issue.

However it's not necessary to use privileged: true to solve the issue, and we can only use --cap-add=SYS_ADMIN which only adds the requested permission.

For more information about this you can read the official documentation here https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities and an interesting stackoverflow answer here https://stackoverflow.com/questions/36553617/how-do-i-mount-bind-inside-a-docker-container

Hope it helps.

[atmoz]

Thank you @arkan!

I will add instructions to the readme

[bkraul]

Can anyone help on this, using docker compose? I am using the cap_add: section, and I am still getting the error permission denied. This is what my docker compose looks like (minus private info, of course)

version: '2.4'
services:
  sftp:
    image: atmoz/sftp
    restart: always
    cap_add:
      - SYS_ADMIN
    ports:
      - '22001:22'
    volumes:
      # generated host keys.
      - ~/docker-persist/sftp/keys/host/ssh_host_ed25519_key:/etc/ssh/ssh_host_ed25519_key
      - ~/docker-persist/sftp/keys/host/ssh_host_rsa_key:/etc/ssh/ssh_host_rsa_key
      # authorized public keys.
      - ~/docker-persist/sftp/keys/authorized/bkraul/id_rsa.pub:/home/bkraul/.ssh/keys/id_rsa.pub:ro
      # users file
      - ~/docker-persist/sftp/users.conf:/etc/sftp/users.conf:ro
      # data directories.
      - ~/docker-persist/myfolder:/data/myfolder 
      # bind mounts script
      - ~/docker-persist/sftp/bindmounts.sh:/etc/sftp.d/bindmounts.sh

This is what the log says:

[/entrypoint] Running /etc/sftp.d/bindmounts.sh ...
mount: mount /data/myfolder on /home/bkraul/myfolder  failed: Permission denied
/entrypoint: Error on line 81: $f

UPDATE: This seems to work using privileged: true. So apparently SYS_ADMIN is not enough?

[FullStackAlex]

Running privileged containers or with sys_admin is a security risk according to the O'Reilly book "Container Security" and those blogs:
https://ericchiang.github.io/post/privileged-containers/
https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/

Both disable the isolation of a container according to those sources.

[bkraul]

This is still a problem with swarm. Swarmed environments do not support privileged, and using cap_add with SYS_ADMIN does not work, as the binds still fail. Is there any other particular capability that can be added for this to work? (swarm now supports caps).

[Arcitec]

I was going crazy trying to bind a mounted external drive to a path inside the image via podman.

I could see the folder in the SFTP client, but always got "permission denied" when entering the folder.

Finally, --privileged worked. --cap-add=SYS_ADMIN doesn't work.

I also had to run podman itself as sudo...

Basically, I had to do this:

sudo podman run \
    --privileged \
    -v /my/external/drives/mountpoint/Upload:/home/foo/data \
    -p 2222:22 -d atmoz/sftp \
    foo:pass:1000

Would love to run it with lower privileges but nothing I tried works. Does anyone have any more surgical/precise solution to fix the permissions without using --privileged?

[jobggun]

I was going crazy trying to bind a mounted external drive to a path inside the image via podman.

I could see the folder in the SFTP client, but always got "permission denied" when entering the folder.

Finally, --privileged worked. --cap-add=SYS_ADMIN doesn't work.

I also had to run podman itself as sudo...

Basically, I had to do this:

sudo podman run \
    --privileged \
    -v /my/external/drives/mountpoint/Upload:/home/foo/data \
    -p 2222:22 -d atmoz/sftp \
    foo:pass:1000

Would love to run it with lower privileges but nothing I tried works. Does anyone have any more surgical/precise solution to fix the permissions without using --privileged?

@Arcitec
With SYS_ADMIN capability and apparmor profile with mount allowed, you can fix permissions without using --privileged

Example of my apparmor profile:

#include <tunables/global>

profile docker-sftp flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>

  network,
  capability,
  file,
  umount,

  mount options=(rw, ro, bind, rbind),

  deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,
  deny @{PROC}/sysrq-trigger rwklx,
  deny @{PROC}/mem rwklx,
  deny @{PROC}/kmem rwklx,
  deny @{PROC}/kcore rwklx,

  deny /sys/[^f]*/** wklx,
  deny /sys/f[^s]*/** wklx,
  deny /sys/fs/[^c]*/** wklx,
  deny /sys/fs/c[^g]*/** wklx,
  deny /sys/fs/cg[^r]*/** wklx,
  deny /sys/firmware/efi/efivars/** rwklx,
  deny /sys/kernel/security/** rwklx,
}

I hope it is helpful for you.