[Bug 1555997] [NEW] chmod fails with "Operation not permitted" on chowned files in ephemeral container

Martin Pitt martin.pitt at ubuntu.com
Fri Mar 11 09:31:35 UTC 2016


Public bug reported:

I'm investigating some failures in autopkgtest's testsuite, and stumbled
over something really weird: In an ephemeral container it is apparently
not possible any more to chmod files that started out being root owned
and got chowned later:

$ sudo lxc-start-ephemeral -o adt-wily
(log in as ubuntu/ubuntu)
ubuntu at adt-wily-hvzj1eoa:~$ echo hello | sudo tee /tmp/testfile
[sudo] password for ubuntu:
hello
ubuntu at adt-wily-hvzj1eoa:~$ sudo chown ubuntu:ubuntu /tmp/testfile
ubuntu at adt-wily-hvzj1eoa:~$ chmod +x /tmp/testfile
chmod: changing permissions of ‘/tmp/testfile’: Operation not permitted

However, if the file was *not* previously chowned, it works as expected:

ubuntu at adt-wily-hvzj1eoa:~$ echo hello > /tmp/testfile2
ubuntu at adt-wily-hvzj1eoa:~$ chmod +x /tmp/testfile2
ubuntu at adt-wily-hvzj1eoa:~$ chmod -x /tmp/testfile2

(no errors and testfile2 becomes executable)

There is no visible permission difference in the files at all, other
than being group-writable (but changing the group w bit in either
direction does not change the error at all):

-rw-r--r-- 1 ubuntu ubuntu 6 Mar 11 10:26 /tmp/testfile
-rw-rw-r-- 1 ubuntu ubuntu 6 Mar 11 10:26 /tmp/testfile2

ubuntu at adt-wily-hvzj1eoa:~$ stat /tmp/testfile*
  File: ‘/tmp/testfile’
  Size: 6         	Blocks: 8          IO Block: 4096   regular file
Device: 15h/21d	Inode: 28          Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/  ubuntu)   Gid: ( 1000/  ubuntu)
Access: 2016-03-11 10:26:19.574364117 +0100
Modify: 2016-03-11 10:26:19.574364117 +0100
Change: 2016-03-11 10:26:21.930343210 +0100
 Birth: -
  File: ‘/tmp/testfile2’
  Size: 6         	Blocks: 8          IO Block: 4096   regular file
Device: 15h/21d	Inode: 29          Links: 1
Access: (0664/-rw-rw-r--)  Uid: ( 1000/  ubuntu)   Gid: ( 1000/  ubuntu)
Access: 2016-03-11 10:26:58.730145919 +0100
Modify: 2016-03-11 10:26:58.730145919 +0100
Change: 2016-03-11 10:27:44.530203985 +0100
 Birth: -

There are also no ACLs involved (I checked with getfacl).

This does not happen with a normal lxc-start, so this might very well be
a bug in Linux' overlayfs. However, it also does not happen with the
more modern "sudo lxc-copy -n adt-wily --ephemeral --foreground" -- bug
perhaps this isn't using overlayfs?

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: lxc 2.0.0~rc9-0ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-11.26-generic 4.4.4
Uname: Linux 4.4.0-11-generic x86_64
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
CurrentDesktop: i3
Date: Fri Mar 11 10:21:20 2016
EcryptfsInUse: Yes
PackageArchitecture: all
SourcePackage: lxc
UpgradeStatus: No upgrade log present (probably fresh install)
defaults.conf:
 lxc.network.type = veth
 lxc.network.link = lxcbr0
 lxc.network.flags = up
 lxc.network.hwaddr = 00:16:3e:xx:xx:xx
dnsmasq.conf:
 enable-tftp
 tftp-root=/tmp/tftp
 dhcp-boot=pxelinux.0
lxc.conf: lxc.lxcpath = /srv/lxc

** Affects: lxc (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug xenial

** Description changed:

  I'm investigating some failures in autopkgtest's testsuite, and stumbled
  over something really weird: In an ephemeral container it is apparently
  not possible any more to chmod files that started out being root owned
  and got chowned later:
  
  $ sudo lxc-start-ephemeral -o adt-wily
  (log in as ubuntu/ubuntu)
  ubuntu at adt-wily-hvzj1eoa:~$ echo hello | sudo tee /tmp/testfile
- [sudo] password for ubuntu: 
+ [sudo] password for ubuntu:
  hello
  ubuntu at adt-wily-hvzj1eoa:~$ sudo chown ubuntu:ubuntu /tmp/testfile
  ubuntu at adt-wily-hvzj1eoa:~$ chmod +x /tmp/testfile
  chmod: changing permissions of ‘/tmp/testfile’: Operation not permitted
  
  However, if the file was *not* previously chowned, it works as expected:
  
  ubuntu at adt-wily-hvzj1eoa:~$ echo hello > /tmp/testfile2
  ubuntu at adt-wily-hvzj1eoa:~$ chmod +x /tmp/testfile2
- ubuntu at adt-wily-hvzj1eoa:~$ chmod +- /tmp/testfile2
+ ubuntu at adt-wily-hvzj1eoa:~$ chmod -x /tmp/testfile2
  
  (no errors and testfile2 becomes executable)
  
  There is no visible permission difference in the files at all:
  
  -rw-r--r-- 1 ubuntu ubuntu 6 Mar 11 10:26 /tmp/testfile
  -rw-rw-r-- 1 ubuntu ubuntu 6 Mar 11 10:26 /tmp/testfile2
  
- 
  ubuntu at adt-wily-hvzj1eoa:~$ stat /tmp/testfile*
-   File: ‘/tmp/testfile’
-   Size: 6         	Blocks: 8          IO Block: 4096   regular file
+   File: ‘/tmp/testfile’
+   Size: 6         	Blocks: 8          IO Block: 4096   regular file
  Device: 15h/21d	Inode: 28          Links: 1
  Access: (0644/-rw-r--r--)  Uid: ( 1000/  ubuntu)   Gid: ( 1000/  ubuntu)
  Access: 2016-03-11 10:26:19.574364117 +0100
  Modify: 2016-03-11 10:26:19.574364117 +0100
  Change: 2016-03-11 10:26:21.930343210 +0100
-  Birth: -
-   File: ‘/tmp/testfile2’
-   Size: 6         	Blocks: 8          IO Block: 4096   regular file
+  Birth: -
+   File: ‘/tmp/testfile2’
+   Size: 6         	Blocks: 8          IO Block: 4096   regular file
  Device: 15h/21d	Inode: 29          Links: 1
  Access: (0664/-rw-rw-r--)  Uid: ( 1000/  ubuntu)   Gid: ( 1000/  ubuntu)
  Access: 2016-03-11 10:26:58.730145919 +0100
  Modify: 2016-03-11 10:26:58.730145919 +0100
  Change: 2016-03-11 10:27:44.530203985 +0100
-  Birth: -
+  Birth: -
  
  There are also no ACLs involved (I checked with getfacl).
  
  This does not happen with a normal lxc-start, so this might very well be
  a bug in Linux' overlayfs. However, it also does not happen with the
  more modern "sudo lxc-copy -n adt-wily --ephemeral --foreground" -- bug
  perhaps this isn't using overlayfs?
  
  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: lxc 2.0.0~rc9-0ubuntu1
  ProcVersionSignature: Ubuntu 4.4.0-11.26-generic 4.4.4
  Uname: Linux 4.4.0-11-generic x86_64
  ApportVersion: 2.20-0ubuntu3
  Architecture: amd64
  CurrentDesktop: i3
  Date: Fri Mar 11 10:21:20 2016
  EcryptfsInUse: Yes
  PackageArchitecture: all
  SourcePackage: lxc
  UpgradeStatus: No upgrade log present (probably fresh install)
  defaults.conf:
-  lxc.network.type = veth
-  lxc.network.link = lxcbr0
-  lxc.network.flags = up
-  lxc.network.hwaddr = 00:16:3e:xx:xx:xx
+  lxc.network.type = veth
+  lxc.network.link = lxcbr0
+  lxc.network.flags = up
+  lxc.network.hwaddr = 00:16:3e:xx:xx:xx
  dnsmasq.conf:
-  enable-tftp
-  tftp-root=/tmp/tftp
-  dhcp-boot=pxelinux.0
+  enable-tftp
+  tftp-root=/tmp/tftp
+  dhcp-boot=pxelinux.0
  lxc.conf: lxc.lxcpath = /srv/lxc

** Description changed:

  I'm investigating some failures in autopkgtest's testsuite, and stumbled
  over something really weird: In an ephemeral container it is apparently
  not possible any more to chmod files that started out being root owned
  and got chowned later:
  
  $ sudo lxc-start-ephemeral -o adt-wily
  (log in as ubuntu/ubuntu)
  ubuntu at adt-wily-hvzj1eoa:~$ echo hello | sudo tee /tmp/testfile
  [sudo] password for ubuntu:
  hello
  ubuntu at adt-wily-hvzj1eoa:~$ sudo chown ubuntu:ubuntu /tmp/testfile
  ubuntu at adt-wily-hvzj1eoa:~$ chmod +x /tmp/testfile
  chmod: changing permissions of ‘/tmp/testfile’: Operation not permitted
  
  However, if the file was *not* previously chowned, it works as expected:
  
  ubuntu at adt-wily-hvzj1eoa:~$ echo hello > /tmp/testfile2
  ubuntu at adt-wily-hvzj1eoa:~$ chmod +x /tmp/testfile2
  ubuntu at adt-wily-hvzj1eoa:~$ chmod -x /tmp/testfile2
  
  (no errors and testfile2 becomes executable)
  
- There is no visible permission difference in the files at all:
+ There is no visible permission difference in the files at all, other
+ than being group-writable (but changing the group w bit in either
+ direction does not change the error at all):
  
  -rw-r--r-- 1 ubuntu ubuntu 6 Mar 11 10:26 /tmp/testfile
  -rw-rw-r-- 1 ubuntu ubuntu 6 Mar 11 10:26 /tmp/testfile2
  
  ubuntu at adt-wily-hvzj1eoa:~$ stat /tmp/testfile*
    File: ‘/tmp/testfile’
    Size: 6         	Blocks: 8          IO Block: 4096   regular file
  Device: 15h/21d	Inode: 28          Links: 1
  Access: (0644/-rw-r--r--)  Uid: ( 1000/  ubuntu)   Gid: ( 1000/  ubuntu)
  Access: 2016-03-11 10:26:19.574364117 +0100
  Modify: 2016-03-11 10:26:19.574364117 +0100
  Change: 2016-03-11 10:26:21.930343210 +0100
   Birth: -
    File: ‘/tmp/testfile2’
    Size: 6         	Blocks: 8          IO Block: 4096   regular file
  Device: 15h/21d	Inode: 29          Links: 1
  Access: (0664/-rw-rw-r--)  Uid: ( 1000/  ubuntu)   Gid: ( 1000/  ubuntu)
  Access: 2016-03-11 10:26:58.730145919 +0100
  Modify: 2016-03-11 10:26:58.730145919 +0100
  Change: 2016-03-11 10:27:44.530203985 +0100
   Birth: -
  
  There are also no ACLs involved (I checked with getfacl).
  
  This does not happen with a normal lxc-start, so this might very well be
  a bug in Linux' overlayfs. However, it also does not happen with the
  more modern "sudo lxc-copy -n adt-wily --ephemeral --foreground" -- bug
  perhaps this isn't using overlayfs?
  
  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: lxc 2.0.0~rc9-0ubuntu1
  ProcVersionSignature: Ubuntu 4.4.0-11.26-generic 4.4.4
  Uname: Linux 4.4.0-11-generic x86_64
  ApportVersion: 2.20-0ubuntu3
  Architecture: amd64
  CurrentDesktop: i3
  Date: Fri Mar 11 10:21:20 2016
  EcryptfsInUse: Yes
  PackageArchitecture: all
  SourcePackage: lxc
  UpgradeStatus: No upgrade log present (probably fresh install)
  defaults.conf:
   lxc.network.type = veth
   lxc.network.link = lxcbr0
   lxc.network.flags = up
   lxc.network.hwaddr = 00:16:3e:xx:xx:xx
  dnsmasq.conf:
   enable-tftp
   tftp-root=/tmp/tftp
   dhcp-boot=pxelinux.0
  lxc.conf: lxc.lxcpath = /srv/lxc

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1555997

Title:
  chmod fails with "Operation not permitted" on chowned files in
  ephemeral container

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1555997/+subscriptions



More information about the Ubuntu-server-bugs mailing list