Re: Setting up bindfs mount in LXC container

[Max Nikulin <manikulin@gmail.com>]

On 18/01/2023 13:02, Richard Hector wrote:
> I have a Wordpress site. The directory /srv/sitename/doc_root, and most 
> of the directories under it, are owned by user 'sitename'.
>
> PHP runs as 'sitename-run', which has access (via group 'sitename') to 
> read all of that, but not write it. Some subdirectories, eg 
> .../doc_root/wp-content/uploads, are group-writeable so that it can save 
> things there.
>
> An authorised site maintainer, eg me ('richard') (but there may be any 
> number of others), needs to be able to write under /srv/sitename,

Just an idea (likely should be applied recursively)

setfacl -m user:richard:rwx /srv/sitename
setfacl -m default:user:richard:rwx /srv/sitename

the same for PHP read-only access. However likely it is impossible to 
set default: x for directories only. Another issue is that a directory 
moved from outside will not inherit default ACL. So despite it looks 
like standard problem that may be solved by ACLs I do not have a 
complete recipe.

Are there users that have access to container only using ssh? If you 
have access to host, you can run any command to access filesystem 
outside of container using lxc-usernsexec (perhaps with modified uidmap) 
or inside container using lxc-attach ... su --login ...

If have not read it yet, some general LXC ideas are described in
https://stgraber.org/2013/12/20/lxc-1-0-blog-post-series/