Cannot access files in docker as a non-root user 777 permissions + facls

Question

I have a docker container with a web app. Apache cannot read to the log folder. The apache user has specific rwx on the facl folder. I set 0777 on the folder recursivelyinside and outside the container. Inside the container only root can read the files. Outside everyone can. Inside the container an ls from the apache user looks like:

-????????? ? ? ? ?            ? access_log
-????????? ? ? ? ?            ? app.log
-????????? ? ? ? ?            ? error_log

I ran a strace, which produced nothing I could find useful. Here is an strace of open,access,lstat for completeness.

[www-data@a377ecbb9c76 www]$ strace -e open,access,lstat ls -l /var/www/logs/
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
open("/lib64/libselinux.so.1", O_RDONLY) = 3
open("/lib64/librt.so.1", O_RDONLY)     = 3
open("/lib64/libcap.so.2", O_RDONLY)    = 3
open("/lib64/libacl.so.1", O_RDONLY)    = 3
open("/lib64/libc.so.6", O_RDONLY)      = 3
open("/lib64/libdl.so.2", O_RDONLY)     = 3
open("/lib64/libpthread.so.0", O_RDONLY) = 3
open("/lib64/libattr.so.1", O_RDONLY)   = 3
open("/proc/filesystems", O_RDONLY)     = 3
open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
open("/usr/share/locale/locale.alias", O_RDONLY) = 3
open("/usr/share/locale/en_US.UTF-8/LC_TIME/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_TIME/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_TIME/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_TIME/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_TIME/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_TIME/coreutils.mo", O_RDONLY) = 3
open("/usr/lib64/gconv/gconv-modules.cache", O_RDONLY) = 3
lstat("/var/www/logs/", {st_mode=S_IFDIR|0777, st_size=4096, ...}) = 0
lstat("/var/www/logs/", {st_mode=S_IFDIR|0777, st_size=4096, ...}) = 0
open("/etc/nsswitch.conf", O_RDONLY)    = 3
open("/etc/ld.so.cache", O_RDONLY)      = 3
open("/lib64/libnss_files.so.2", O_RDONLY) = 3
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
open("/etc/group", O_RDONLY|O_CLOEXEC)  = 3
open("/var/www/logs/", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
lstat("/var/www/logs/error_log", 0xf17800) = -1 EACCES (Permission denied)
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/coreutils.mo", O_RDONLY) = 4
ls: cannot access /var/www/logs/error_logopen("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
: Permission denied
lstat("/var/www/logs/app.log", 0xf178c0) = -1 EACCES (Permission denied)
ls: cannot access /var/www/logs/app.log: Permission denied
lstat("/var/www/logs/access_log", 0xf17980) = -1 EACCES (Permission denied)
ls: cannot access /var/www/logs/access_log: Permission denied
total 0
open("/etc/localtime", O_RDONLY)        = 3
-????????? ? ? ? ?            ? access_log
-????????? ? ? ? ?            ? app.log
-????????? ? ? ? ?            ? error_log
+++ exited with 1 +++

score 0 · Answer 1 · edited May 23 '17 at 11:33

0

I got the clue to answer this on stackoverflow.

My docker containers are not configured for ACL support, and having the ACLs on them caused the issue. The command setfacl -Rb logs/ from outside the container fixed it.

edited May 23 '17 at 11:33

Community

1

answered Jun 22 '16 at 21:50

Justin Dearing

1,037
12
33

Cannot access files in docker as a non-root user 777 permissions + facls

1 Answers1