Permission denied: container can't write to /dangerzone #157
Comments
|
As you're building from source, I think that adding If that still doesn't work, I've seen podman bugs/questions apparently related to SELinux leading to "permission denied" issues. I don't know if those type of problems still happen on redhat like-systems. => TL;DR add |
|
I created a branch implementing @yveszoundi's recommendations. It resolves the issue for CLI output: Feels like it'd be helpful to take on some more advice at this point |
|
It's looking good @odub , despite the remaining errors:
Solution final touchesReplace the ReferencesWorking equivalent Rust solution (sorry for Rust)Related problem in the past (I think), in this repoUse shutil.move instead of os.rename in the final step - Issue 134 Similar problems with explanations |
|
@odub I've recently fixed a similar problem. If you have a chance, can you check that it's working on this branch #183.
If it doesn't work we'll need to add this. |
deeplow
changed the title
|
Closing this as it is probably solved in the 0.3.2 release. Feel free to open this in case it wasn't. |
I'm getting this issue. I followed this: I tried both with this project and for fork on the 118-podman-machine branch (with the apparmor removed). |
|
As you can see here: dangerzone/dangerzone/container.py Line 76 in e923c5a The container always gets startet with user dangerzone. If you want to map directories from the current user on the host you would need to set |
|
Just to be double sure, @Roxiun did you rebuild the image? i.e. run `./install/linux/build-image.sh (or whatever OS you're on). If you haven't done so yet, this could be the source of the issue.
So you're arguing is that in order to use volumes in containers you need to run the container as the current user? From my testing this wasn't the case. And I just tested getting a shell on the document-to-pixels container and confirmed files touched in did in fact show up in the mapped directory on the host: |
|
@deeplow can you please show me the ids of the user inside the container and the id of the user on the host? in my case I had user 1001 on the host and user 1000 inside the container, so I couldn't write inside the /dangerzone directory. (I am on debian btw.) |
Yep i used |
|
In the container it was running as user And in the host it was also running as user |
|
+1 I'm on Debian 11 and also get the error It happens with the version installed by 'apt' as well as when building from the v0.3.2 master branch. I tried running 'dangerzone-cli' or the builds as uid 1000 or 0. The error stays the same. @websi96 Where would I need to add |
I thought about changing it like this in container.py:
|
|
This results in However if I set the ID to either 0:0 or 1000:1000 it works if I execute dangerzone with the matching user. |
|
I see.. Then there must be some other way to resolve the current ID of the user via this Python script I guess.. It doesn't interpolate the environment variables as I guessed it would.. |
|
I was able to resolve this issue for me. (dangerzone v0.3.2 on Debian 11 inside a VirtualBox) So when a user wants to access a VirtualBox shared folder, the user needs to be inside the edit: works on the "apt install" version as well as a self built version |
|
@Lu-Ka: Thanks for digging more into this, and posting your workaround. If possible, could you clarify something? In the Dangerzone container you are not part of the So, what is different with the file in the Virtualbox shared folder? Can you share its permissions here? Also, what's the guest OS? |
|
@websi96: Did you manage to make Dangerzone work, or do you still need to use a custom switch? |
|
Host OS: Fedora 36 Here is the output for the Virtualbox shared folder from inside the Debian 11 VM: |
|
I did not look into it further.. I just started it as user 1000 on my host. |
|
Thanks for the output @Lu-Ka . So, this is why the container couldn't read In any case, your workaround makes sense. What Dangerzone could do here, both for your case and @websi96's, is to copy the file into a temporary directory, before any container starts, and set its permissions accordingly so that the first container can read it. This requires some thinking, but I think it would be feasible. |
|
That would work. It would just make the process a bit slower for larger files. (Don't think that this matters in the context of using dangerzone) The VirtualBox on my host runs as the same user: |
|
Yeah, the processing pipeline of Dangerzone ends up reading and writing a single file multiple times, so an extra copy wouldn't hurt. The pros outweigh the cons in this case. Thanks a lot for sharing the permissions in your host OS btw. So, we can see that the file in the host Fedora OS has the typical permissions ( whereas the same file within the Debian 11 VM has different permissions ( So, Virtualbox Shared Folders do not take into account the file permissions in the host system, by default. Users can alter this behavior though, and mount the shared folder under their own UID/GID in the guest VM. See here for more info: https://forums.virtualbox.org/viewtopic.php?f=3&t=15868. |
|
All in all, we have a workaround for this issue for now. I propose keeping this issue open until we fix the underlying cause, which is ensuring that the Dangerzone container can access the files reliably. |
|
Thanks for the link. I did not know that you can mount VirtualBox shares manually. I can confirm mounting it manually via
For auto mount add Non the less I think a temporary file copy made by dangerzone would be a good idea. |
|
I have this error as well on Fedora 37 with SELinux on. Running
This is the reason why under Fedora 37, the Permission Denied issue occurs. I suspect this is also what occurs in #260. The |
|
We have work-in-progress code that redoes the day documents are mounted and their permissions. It's not SELinux-related but it might fix this issue for some #248. |
Copy input files in a temporary dir before mounting them, thereby changing their permissions, without affecting the original files. This way, we can avoid cases where a file is accessible to the user only due to a supplemental user group, which does not work for containers. Fixes #157 Fixes #260 Fixes #335
Copy input files in a temporary dir before mounting them, thereby changing their permissions, without affecting the original files. This way, we can avoid cases where a file is accessible to the user only due to a supplemental user group, which does not work for containers. Fixes #157 Fixes #260 Fixes #335
Copy input files in a temporary dir before mounting them, thereby changing their permissions, without affecting the original files. This way, we can avoid cases where a file is accessible to the user only due to a supplemental user group, which does not work for containers. Fixes #157 Fixes #260 Fixes #335
Copy input files in a temporary dir before mounting them, thereby changing their permissions, without affecting the original files. This way, we can avoid cases where a file is accessible to the user only due to a supplemental user group, which does not work for containers. Fixes #157 Fixes #260 Fixes #335
I have Fedora Workstation 35 and I have compiled dangerzone from source.
It all goes well until I try to sanitize a document, when this error is thrown:
The text was updated successfully, but these errors were encountered: