Rootless podman using --device and --group-add keep-groups device owned by nobody

[arielnmz]

Issue Description

I am trying to use a printer inside an alpine container:

podman run -it --rm  --privileged --group-add keep-groups --device=/dev/usb   docker.io/alpine:3.18 sh

From inside the container ls reveals that the file is owned by nobody.

Host:

% ls -lha /dev/usb
total 0
drwxr-xr-x.  2 root root      160 Aug 10 15:24 .
drwxr-xr-x. 19 root root     4.4K Aug 10 14:36 ..
crw-------.  1 root root 180,  96 Aug 10 14:36 hiddev0
crw-------.  1 root root 180,  97 Aug 10 14:36 hiddev1
crw-------.  1 root root 180,  98 Aug 10 14:36 hiddev2
crw-------.  1 root root 180,  99 Aug 10 14:36 hiddev3
crw-------.  1 root root 180, 100 Aug 10 14:36 hiddev4
crw-rw----.  1 root lp   180,   0 Aug 10 15:24 lp0
%

Container:

/ # ls -lha /dev/usb
total 0      
drwxr-xr-x    2 root     root         160 Aug 10 22:23 .
drwxr-xr-x   15 root     root        2.9K Aug 10 22:23 ..
crw-------    1 nobody   nobody    180,  96 Aug 10 20:36 hiddev0
crw-------    1 nobody   nobody    180,  97 Aug 10 20:36 hiddev1
crw-------    1 nobody   nobody    180,  98 Aug 10 20:36 hiddev2
crw-------    1 nobody   nobody    180,  99 Aug 10 20:36 hiddev3
crw-------    1 nobody   nobody    180, 100 Aug 10 20:36 hiddev4
crw-rw----    1 nobody   nobody    180,   0 Aug 10 21:24 lp0
/ # 

Stat says the owner is 65534:

Container:

/ # stat /dev/usb/lp0
  File: /dev/usb/lp0
  Size: 0               Blocks: 0          IO Block: 4096   character special file
Device: 6h/6d   Inode: 1316        Links: 1     Device type: b4,0
Access: (0660/crw-rw----)  Uid: (65534/  nobody)   Gid: (65534/  nobody)
Access: 2024-08-10 22:03:16.580994995 +0000
Modify: 2024-08-10 21:24:16.786544647 +0000
Change: 2024-08-10 22:17:13.515383095 +0000

More info:

Container:

 # id
uid=0(root) gid=0(root) groups=65534(nobody),65534(nobody),65534(nobody),0(root)

If instead I use --group-add lp, I see this:

Container:

 # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),7(lp),10(wheel),11(floppy),20(dialout),26(tape),27(video)

But ls still says lp0 is owned by nobody.

The results are the same regardless of --privileged or not.

I followed instructions on all these reports:

• Rootless podman using --device and --group-add keep-groups not working as expected #10166
• /proc and /sys are owned by nobody inside rootless containers #16557
• SELinux prevents rootless container from using passed device #15930

But nothing seems to work.

I need the device to show with group lp otherwise CUPS doesn't even recognize it.

FWIW: I seem to have access to the device as cat /dev/usb/lp0 and echo ... > /dev/usb/lp0 do not fail with Permission denied or anything and the printer seems to be pushing paper out of it.

Steps to reproduce the issue

Steps to reproduce the issue

1. podman run -it --rm --privileged --group-add keep-groups --device=/dev/usb docker.io/alpine:3.18 sh
2. ls -lha /dev/usb

Describe the results you received

crw-rw---- 1 nobody nobody 180, 0 Aug 10 21:24 lp0

Describe the results you expected

crw-rw---- 1 nobody lp 180, 0 Aug 10 21:24 lp0

podman info output

host:
  arch: amd64
  buildahVersion: 1.36.0
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.10-1.fc40.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: '
  cpuUtilization:
    idlePercent: 98.4
    systemPercent: 0.27
    userPercent: 1.33
  cpus: 32
  databaseBackend: boltdb
  distribution:
    distribution: fedora
    version: "40"
  eventLogger: journald
  freeLocks: 1903
  hostname: bc-1
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.9.12-200.fc40.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 123263619072
  memTotal: 134973480960
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.11.0-3.fc40.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.11.0
    package: netavark-1.11.0-3.fc40.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.11.0
  ociRuntime:
    name: crun
    package: crun-1.15-1.fc40.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.15
      commit: e6eacaf4034e84185fd8780ac9262bbf57082278
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20240624.g1ee2eca-1.fc40.x86_64
    version: |
      pasta 0^20240624.g1ee2eca-1.fc40.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 8589930496
  swapTotal: 8589930496
  uptime: 0h 59m 39.00s
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
store:
  configFile: /home/ben/.config/containers/storage.conf
  containerStore:
    number: 22
    paused: 0
    running: 1
    stopped: 21
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/ben/.local/share/containers/storage
  graphRootAllocated: 1024191365120
  graphRootUsed: 548132724736
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 684
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/ben/.local/share/containers/storage/volumes
version:
  APIVersion: 5.1.2
  Built: 1720569600
  BuiltTime: Tue Jul  9 18:00:00 2024
  GitCommit: ""
  GoVersion: go1.22.5
  Os: linux
  OsArch: linux/amd64
  Version: 5.1.2

Podman in a container

No

Privileged Or Rootless

Privileged

Upstream Latest Release

No

Additional environment details

No response

Additional information

No response

[rhatdan]

The UID of the actual owner of the device is root, which is not mapped into the container. Adding --group-add lp will just add the lp group inside the container to the primary process of the container.

If the rootless user is able to write to the lp /dev/usb/lp0 device via group access, then --group-add keep-groups is the correct thing to do.

If you run the groups command within the container you should see that the primary process belongs to the nobody group, but this is the GID external to the container with group access to the device.

Bottom line attempt to print and stop paying attention to the UID/GIDs mapped into the container.

[arielnmz]

@rhatdan The problem is that CUPS will try to run the backend process /usr/lib/cups/backend/usb with the internal group lp(7) which makes it fail with [CGI] Failed to open device, code: -3. Running the same command from the primary process does work but I can't tell /usr/lib/cups/daemon/cups-exec to use Group root because (As per the CUPS docs.):

this cannot be any user or group that resolves to ID 0 for security reasons...

So even if the primary process maps to user 1000 outside, CUPS will complain.

I'm looking for a way to map the lp(7) group inside the container to lp(7) from the outside. Is that even possible?

[rhatdan]

For a rootless container the only way to do this would be to add the lp group to the users /etc/subgid and potentially /etc/subuid. But this would give the user full control over the LP UID/GID group.