spec: loosen permissions on /usr/lib/containers/storage/* dirs #2507
Conversation
Since /usr/lib/containers/storage/ is configured as an additional store by default [1] these directories are important to be able to be read by unprivileged users. The problem I ran into was when generating a disk image using supermin [2] it didn't pick up the images.lock and layers.lock files when creating the resulting filesystem (because running supermin unprivileged means they weren't viewable because they were under directories that weren't accessible to non-root). Because those files weren't there, when I eventually ran OSBuild inside the supermin VM, which happens to mount in /usr/ read-only inside the OSBuild env I'd get an error when trying to do podman/skopeo operations: ``` Copying blob sha256:9dad063a624b62064bf25dbbc2e802e472d636056f661f2a0be73efd8a4da98b time="2025-08-11T15:45:48Z" level=fatal msg="trying to reuse blob sha256:7842e86602a2d0ca8e8e12adc8520579a1fef4fad571bb83a450b5d98269ae5a at destination: looking for layers with digest \"sha256:7842e86602a2d0ca8e8e12adc8520579a1fef4fad571bb83a450b5d98269ae5a\": loading additional layer stores: open /usr/lib/containers/storage/overlay-layers/layers.lock: read-only file system" ``` If the *.lock files exist. The errors won't manifest. [1] https://github.com/containers/common/blob/6f98aea06fcd025b418e7414d6b33df02478aa51/rpm/update-config-files.sh#L46-L49 [2] https://libguestfs.org/supermin.1.html
Reviewer's guide (collapsed on small PRs)Reviewer's GuideLoosen default permissions for overlay storage directories under /usr/lib/containers/storage to 755 so that unprivileged users can access the generated lock files when building disk images. Entity relationship diagram for overlay storage directories and lock fileserDiagram
OVERLAY_IMAGES ||--o| IMAGES_LOCK : contains
OVERLAY_LAYERS ||--o| LAYERS_LOCK : contains
OVERLAY_IMAGES {
string path
int permissions
}
IMAGES_LOCK {
string filename
}
OVERLAY_LAYERS {
string path
int permissions
}
LAYERS_LOCK {
string filename
}
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
|
I'm interested to have someone evaluate the security implications of making these directories viewable by non-root users. |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey @dustymabe - I've reviewed your changes and they look great!
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: dustymabe, sourcery-ai[bot] The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Narrowing in further on why this is required leads to an issue with permissions when supermin is creating the filesystem for the supermin VM. Opened containers/common#2507 upstream to address this, but for now let's fixup the permissions in our image build.
Luap99
left a comment
Luap99
left a comment
There was a problem hiding this comment.
If the goal if this store is to be used by rootless users sure, but AFAIK the entire share store across users is generally quite bad because all the uids are not aligned and there are post that recommend chmod -R a+rx https://www.redhat.com/en/blog/image-stores-podman So that seem to be in-line with that.
AFAICT the actually layer files under the directories are still owned by root with no access for the rootless user so security wise it should be fine? Although logically if the user has access to the lock file I assume they can deadlock all other podman instances that access the store by simply holding the lock forever which may be a much bigger security concern?
I don't understand why we configure such a store by default. Trying to find the history brings me to https://src.fedoraproject.org/rpms/containers-common/c/719145eb7e83a4e618588c21c66f2687c2ffb458
which well has no context whatsoever.
The problem I ran into was when generating a disk image using supermin [2] it didn't pick up the images.lock and layers.lock files when creating the resulting filesystem (because running supermin unprivileged means they weren't viewable because they were under directories that weren't accessible to non-root).
Isn't that a problem of the tool if it misses files that are only viewable by root? I am might be missing the purpose of supermin.
|
Yeah I'm similarly iffy on this globally configured default additional store... I can't imagine this actually working well by default? |
I'm not sure that it is intended to be used by rootless users. If I I guess the additional store is just in
perhaps. I think it's just doing the best it can given the situation. Another thing that may be an option here. If an additional store is configured and it's on a read-only filesystem, then don't require locking? The read-only filesystem should ensure there's no consistency issues, right? |
|
I don't think it should be configured by default for rootless because it requires a specific configuration. I don't see disadvantages doing it for root-only but then we don't need to loosen the permissions? |
Right. I determined above it's not enabled for rootless by default and I agree it shouldn't be.
Yeah. I think you are right, but maybe we can shift the conversation to the idea I had in #2507 (comment)
|
Ah yes right that make sense of course
I am not a storage maintainer and not to familiar with the store logic there to know how easy that would be to implement. In principle if we allow this to be run on readonly without existing lock files than there likely isn't any reason to create the lock files in the spec file to begin with. |
True.. Where should we take this? Since I think we've established that the proposed change in this PR isn't the likely best solution to the problem should I close it? |
Narrowing in further on why this is required leads to an issue with permissions when supermin is creating the filesystem for the supermin VM. Opened containers/common#2507 upstream to address this, but for now let's fixup the permissions in our image build.
|
I'll close it now. |
4 participants
Since /usr/lib/containers/storage/ is configured as an additional store by default [1] these directories are important to be able to be read by unprivileged users.
The problem I ran into was when generating a disk image using supermin [2] it didn't pick up the images.lock and layers.lock files when creating the resulting filesystem (because running supermin unprivileged means they weren't viewable because they were under directories that weren't accessible to non-root).
Because those files weren't there, when I eventually ran OSBuild inside the supermin VM, which happens to mount in /usr/ read-only inside the OSBuild env I'd get an error when trying to do podman/skopeo operations:
If the *.lock files exist. The errors won't manifest.
[1]
common/rpm/update-config-files.sh
Lines 46 to 49 in 6f98aea
[2] https://libguestfs.org/supermin.1.html
Summary by Sourcery
Loosen directory permissions for overlay-images and overlay-layers under /usr/lib/containers/storage to allow unprivileged users to read lock files and prevent read-only filesystem errors in unprivileged workflows
Bug Fixes: