Re: Setting up bindfs mount in LXC container
On 18/01/2023 13:02, Richard Hector wrote:
I have a Wordpress site. The directory /srv/sitename/doc_root, and most
of the directories under it, are owned by user 'sitename'.
PHP runs as 'sitename-run', which has access (via group 'sitename') to
read all of that, but not write it. Some subdirectories, eg
.../doc_root/wp-content/uploads, are group-writeable so that it can save
things there.
An authorised site maintainer, eg me ('richard') (but there may be any
number of others), needs to be able to write under /srv/sitename,
Just an idea (likely should be applied recursively)
setfacl -m user:richard:rwx /srv/sitename
setfacl -m default:user:richard:rwx /srv/sitename
the same for PHP read-only access. However likely it is impossible to
set default: x for directories only. Another issue is that a directory
moved from outside will not inherit default ACL. So despite it looks
like standard problem that may be solved by ACLs I do not have a
complete recipe.
Are there users that have access to container only using ssh? If you
have access to host, you can run any command to access filesystem
outside of container using lxc-usernsexec (perhaps with modified uidmap)
or inside container using lxc-attach ... su --login ...
If have not read it yet, some general LXC ideas are described in
https://stgraber.org/2013/12/20/lxc-1-0-blog-post-series/
Reply to: