Hi
I've started from scratch to set up my docker containers with restrictive perrmissions. I've been using OMV (right now OMV 7.4.4-1 with Proxmox kernel 6.8.8-4 in a Proxmox 8.2.4 VM) for a long time, linux cli a bit and docker a couple of years.
I've been reading a lot about permissions lately as I can't get my group permissions to work as I want it to. My inspiration to set up restrictive permissions has been - User and permission mangement in docker and OMV. More security.
I'm using restrictive permissions to better my security and hopefully ward off any bad/malicious/not regularly updated/sloppily coded containers. This problem has at least made me learn quit a bit more about permissions which never can be a bad thing
My problem is that some of the members of one group with read and write permissions to the files can't access them.
Some data (ext4 on internal m2) is used by several containers and shared through samba with more than one samba user. To get this to work all the users who needs access to the data is a member of the same secondary group and the data is "owned" by the same group with 2770 permissions (set GID is used to keep the files "owned" by the group).
Example: Container1 is run by containeruser1 (added through cli) with primary group containeruser1 and secondary group smbdirectory. The data1 directory and files are owned by containeruser1 and group smbdirectory with permissions 2770. The data1 directory is shared via smb/cifs plugin. Smbuser1 and smbuser2 is a member of the samba group and smbdirectory. Container2 is "run" by containeruser2 with primary group containeruser2 and secondary group smbdirectory. The users and groups has read and write permissions to the shared folder data1 through the OMV GUI. Containeruser1, smbuser1 and smbuser2 can access data1 but not containeruser2. The only way I get it to work is to set the permissions for data1 to 2775.
I've scratched my head a lot concerning this and I'm feeling that nearing the roads end. Maybe it would be better to make different container users in the OMV GUI with group user and use "no access" in shared folders/permissions to restrict access or with acl's.
Can anyone see where I messed up my settings or my thinking concerning access through group permissions?
Thank you