[Bug 1555997] [NEW] chmod fails with "Operation not permitted" on chowned files in ephemeral container
Martin Pitt
martin.pitt at ubuntu.com
Fri Mar 11 09:31:35 UTC 2016
Public bug reported:
I'm investigating some failures in autopkgtest's testsuite, and stumbled
over something really weird: In an ephemeral container it is apparently
not possible any more to chmod files that started out being root owned
and got chowned later:
$ sudo lxc-start-ephemeral -o adt-wily
(log in as ubuntu/ubuntu)
ubuntu at adt-wily-hvzj1eoa:~$ echo hello | sudo tee /tmp/testfile
[sudo] password for ubuntu:
hello
ubuntu at adt-wily-hvzj1eoa:~$ sudo chown ubuntu:ubuntu /tmp/testfile
ubuntu at adt-wily-hvzj1eoa:~$ chmod +x /tmp/testfile
chmod: changing permissions of ‘/tmp/testfile’: Operation not permitted
However, if the file was *not* previously chowned, it works as expected:
ubuntu at adt-wily-hvzj1eoa:~$ echo hello > /tmp/testfile2
ubuntu at adt-wily-hvzj1eoa:~$ chmod +x /tmp/testfile2
ubuntu at adt-wily-hvzj1eoa:~$ chmod -x /tmp/testfile2
(no errors and testfile2 becomes executable)
There is no visible permission difference in the files at all, other
than being group-writable (but changing the group w bit in either
direction does not change the error at all):
-rw-r--r-- 1 ubuntu ubuntu 6 Mar 11 10:26 /tmp/testfile
-rw-rw-r-- 1 ubuntu ubuntu 6 Mar 11 10:26 /tmp/testfile2
ubuntu at adt-wily-hvzj1eoa:~$ stat /tmp/testfile*
File: ‘/tmp/testfile’
Size: 6 Blocks: 8 IO Block: 4096 regular file
Device: 15h/21d Inode: 28 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1000/ ubuntu) Gid: ( 1000/ ubuntu)
Access: 2016-03-11 10:26:19.574364117 +0100
Modify: 2016-03-11 10:26:19.574364117 +0100
Change: 2016-03-11 10:26:21.930343210 +0100
Birth: -
File: ‘/tmp/testfile2’
Size: 6 Blocks: 8 IO Block: 4096 regular file
Device: 15h/21d Inode: 29 Links: 1
Access: (0664/-rw-rw-r--) Uid: ( 1000/ ubuntu) Gid: ( 1000/ ubuntu)
Access: 2016-03-11 10:26:58.730145919 +0100
Modify: 2016-03-11 10:26:58.730145919 +0100
Change: 2016-03-11 10:27:44.530203985 +0100
Birth: -
There are also no ACLs involved (I checked with getfacl).
This does not happen with a normal lxc-start, so this might very well be
a bug in Linux' overlayfs. However, it also does not happen with the
more modern "sudo lxc-copy -n adt-wily --ephemeral --foreground" -- bug
perhaps this isn't using overlayfs?
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: lxc 2.0.0~rc9-0ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-11.26-generic 4.4.4
Uname: Linux 4.4.0-11-generic x86_64
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
CurrentDesktop: i3
Date: Fri Mar 11 10:21:20 2016
EcryptfsInUse: Yes
PackageArchitecture: all
SourcePackage: lxc
UpgradeStatus: No upgrade log present (probably fresh install)
defaults.conf:
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:xx:xx:xx
dnsmasq.conf:
enable-tftp
tftp-root=/tmp/tftp
dhcp-boot=pxelinux.0
lxc.conf: lxc.lxcpath = /srv/lxc
** Affects: lxc (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug xenial
** Description changed:
I'm investigating some failures in autopkgtest's testsuite, and stumbled
over something really weird: In an ephemeral container it is apparently
not possible any more to chmod files that started out being root owned
and got chowned later:
$ sudo lxc-start-ephemeral -o adt-wily
(log in as ubuntu/ubuntu)
ubuntu at adt-wily-hvzj1eoa:~$ echo hello | sudo tee /tmp/testfile
- [sudo] password for ubuntu:
+ [sudo] password for ubuntu:
hello
ubuntu at adt-wily-hvzj1eoa:~$ sudo chown ubuntu:ubuntu /tmp/testfile
ubuntu at adt-wily-hvzj1eoa:~$ chmod +x /tmp/testfile
chmod: changing permissions of ‘/tmp/testfile’: Operation not permitted
However, if the file was *not* previously chowned, it works as expected:
ubuntu at adt-wily-hvzj1eoa:~$ echo hello > /tmp/testfile2
ubuntu at adt-wily-hvzj1eoa:~$ chmod +x /tmp/testfile2
- ubuntu at adt-wily-hvzj1eoa:~$ chmod +- /tmp/testfile2
+ ubuntu at adt-wily-hvzj1eoa:~$ chmod -x /tmp/testfile2
(no errors and testfile2 becomes executable)
There is no visible permission difference in the files at all:
-rw-r--r-- 1 ubuntu ubuntu 6 Mar 11 10:26 /tmp/testfile
-rw-rw-r-- 1 ubuntu ubuntu 6 Mar 11 10:26 /tmp/testfile2
-
ubuntu at adt-wily-hvzj1eoa:~$ stat /tmp/testfile*
- File: ‘/tmp/testfile’
- Size: 6 Blocks: 8 IO Block: 4096 regular file
+ File: ‘/tmp/testfile’
+ Size: 6 Blocks: 8 IO Block: 4096 regular file
Device: 15h/21d Inode: 28 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1000/ ubuntu) Gid: ( 1000/ ubuntu)
Access: 2016-03-11 10:26:19.574364117 +0100
Modify: 2016-03-11 10:26:19.574364117 +0100
Change: 2016-03-11 10:26:21.930343210 +0100
- Birth: -
- File: ‘/tmp/testfile2’
- Size: 6 Blocks: 8 IO Block: 4096 regular file
+ Birth: -
+ File: ‘/tmp/testfile2’
+ Size: 6 Blocks: 8 IO Block: 4096 regular file
Device: 15h/21d Inode: 29 Links: 1
Access: (0664/-rw-rw-r--) Uid: ( 1000/ ubuntu) Gid: ( 1000/ ubuntu)
Access: 2016-03-11 10:26:58.730145919 +0100
Modify: 2016-03-11 10:26:58.730145919 +0100
Change: 2016-03-11 10:27:44.530203985 +0100
- Birth: -
+ Birth: -
There are also no ACLs involved (I checked with getfacl).
This does not happen with a normal lxc-start, so this might very well be
a bug in Linux' overlayfs. However, it also does not happen with the
more modern "sudo lxc-copy -n adt-wily --ephemeral --foreground" -- bug
perhaps this isn't using overlayfs?
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: lxc 2.0.0~rc9-0ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-11.26-generic 4.4.4
Uname: Linux 4.4.0-11-generic x86_64
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
CurrentDesktop: i3
Date: Fri Mar 11 10:21:20 2016
EcryptfsInUse: Yes
PackageArchitecture: all
SourcePackage: lxc
UpgradeStatus: No upgrade log present (probably fresh install)
defaults.conf:
- lxc.network.type = veth
- lxc.network.link = lxcbr0
- lxc.network.flags = up
- lxc.network.hwaddr = 00:16:3e:xx:xx:xx
+ lxc.network.type = veth
+ lxc.network.link = lxcbr0
+ lxc.network.flags = up
+ lxc.network.hwaddr = 00:16:3e:xx:xx:xx
dnsmasq.conf:
- enable-tftp
- tftp-root=/tmp/tftp
- dhcp-boot=pxelinux.0
+ enable-tftp
+ tftp-root=/tmp/tftp
+ dhcp-boot=pxelinux.0
lxc.conf: lxc.lxcpath = /srv/lxc
** Description changed:
I'm investigating some failures in autopkgtest's testsuite, and stumbled
over something really weird: In an ephemeral container it is apparently
not possible any more to chmod files that started out being root owned
and got chowned later:
$ sudo lxc-start-ephemeral -o adt-wily
(log in as ubuntu/ubuntu)
ubuntu at adt-wily-hvzj1eoa:~$ echo hello | sudo tee /tmp/testfile
[sudo] password for ubuntu:
hello
ubuntu at adt-wily-hvzj1eoa:~$ sudo chown ubuntu:ubuntu /tmp/testfile
ubuntu at adt-wily-hvzj1eoa:~$ chmod +x /tmp/testfile
chmod: changing permissions of ‘/tmp/testfile’: Operation not permitted
However, if the file was *not* previously chowned, it works as expected:
ubuntu at adt-wily-hvzj1eoa:~$ echo hello > /tmp/testfile2
ubuntu at adt-wily-hvzj1eoa:~$ chmod +x /tmp/testfile2
ubuntu at adt-wily-hvzj1eoa:~$ chmod -x /tmp/testfile2
(no errors and testfile2 becomes executable)
- There is no visible permission difference in the files at all:
+ There is no visible permission difference in the files at all, other
+ than being group-writable (but changing the group w bit in either
+ direction does not change the error at all):
-rw-r--r-- 1 ubuntu ubuntu 6 Mar 11 10:26 /tmp/testfile
-rw-rw-r-- 1 ubuntu ubuntu 6 Mar 11 10:26 /tmp/testfile2
ubuntu at adt-wily-hvzj1eoa:~$ stat /tmp/testfile*
File: ‘/tmp/testfile’
Size: 6 Blocks: 8 IO Block: 4096 regular file
Device: 15h/21d Inode: 28 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1000/ ubuntu) Gid: ( 1000/ ubuntu)
Access: 2016-03-11 10:26:19.574364117 +0100
Modify: 2016-03-11 10:26:19.574364117 +0100
Change: 2016-03-11 10:26:21.930343210 +0100
Birth: -
File: ‘/tmp/testfile2’
Size: 6 Blocks: 8 IO Block: 4096 regular file
Device: 15h/21d Inode: 29 Links: 1
Access: (0664/-rw-rw-r--) Uid: ( 1000/ ubuntu) Gid: ( 1000/ ubuntu)
Access: 2016-03-11 10:26:58.730145919 +0100
Modify: 2016-03-11 10:26:58.730145919 +0100
Change: 2016-03-11 10:27:44.530203985 +0100
Birth: -
There are also no ACLs involved (I checked with getfacl).
This does not happen with a normal lxc-start, so this might very well be
a bug in Linux' overlayfs. However, it also does not happen with the
more modern "sudo lxc-copy -n adt-wily --ephemeral --foreground" -- bug
perhaps this isn't using overlayfs?
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: lxc 2.0.0~rc9-0ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-11.26-generic 4.4.4
Uname: Linux 4.4.0-11-generic x86_64
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
CurrentDesktop: i3
Date: Fri Mar 11 10:21:20 2016
EcryptfsInUse: Yes
PackageArchitecture: all
SourcePackage: lxc
UpgradeStatus: No upgrade log present (probably fresh install)
defaults.conf:
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:xx:xx:xx
dnsmasq.conf:
enable-tftp
tftp-root=/tmp/tftp
dhcp-boot=pxelinux.0
lxc.conf: lxc.lxcpath = /srv/lxc
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1555997
Title:
chmod fails with "Operation not permitted" on chowned files in
ephemeral container
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1555997/+subscriptions
More information about the Ubuntu-server-bugs
mailing list