Change ACLs for QNAP LXD unprivileged container.

Overview

qnaplxdunpriv

If Advanced Folder Permissions is enabled in QNAP NAS, unprivileged LXD containers won't start. qnaplxdunpriv changes ACLs of some Container Station files to enable running unprivileged LXD containers.

Please make sure to backup your NAS before using this program, and use this program at your own risk.

Usage

Prebuilt Docker image (amd64) to run this program is available at kobarity/qnaplxdunpriv. So if you are using amd64 NAS, you can run the image as following:

docker run -v "$(echo /share/CACHEDEV*_DATA/.qpkg/container-station):/Station" -v /share/Container:/Container --rm kobarity/qnaplxdunpriv set 1000000

where the last argument indicates the UID you are going to use for the unprivileged container. The UID can be specified in security.idmap.base configuration of LXD containers and defaults to 1000000.

INFO:Completed message will be shown if it completes changing ACLs without any errors.

To undo the changes, specify unset instead of set.

Usage of this program is show below:

usage: qnaplxdunpriv.py [-h] [--dry-run] [--station STATION]
                        [--container CONTAINER]
                        {set,unset} uid [uid ...]

Change ACLs for QNAP LXD unprivileged container.

positional arguments:
  {set,unset}           "set" or "unset"
  uid                   UID for unprivileged containers

options:
  -h, --help            show this help message and exit
  --dry-run             print new ACLs without actually changing any files
                        (default: False)
  --station STATION     directory corresponding to Container Station folder
                        which can be obtained by
                        "/share/CACHEDEV*_DATA/.qpkg/container-station"
                        (default: /Station)
  --container CONTAINER
                        directory corresponding to "/share/Container" shared
                        folder (default: /Container)

If you are using ARM architecture NAS or are willing to use your own Docker image, clone the source code from qnaplxdunpriv and build the image under python directory as following:

docker build -t qnaplxdunpriv .

Caveat

After changing ACLs, users other than admin and not in administrators group will lose access to files whose ACLs are changed. This is caused by the QNAP's own implementation of ACLs mentioned in What's wrong with ACL?. In many cases, this should not be a problem because users other than admin and not in administrators group typically do not need to access these files. However, if you need to grant access to some users or groups, a workaround is to add ACL entries explicitly allows the users or groups to access these files.

Background

Marco Trevisan kindly provided a script to change ACLs to enable running unprivileged LXD containers in Failing to start unprivileged container (QNAP) thread. However, simply adding an ACL entry would result in users other than admin (including users in administrators group) being unable to execute commands such as docker or lxc due to the QNAP's own implementation of ACLs mentioned in What's wrong with ACL?.

To address this issue, this program processes ACLs for set operation:

  1. If ACL entries explicitly specifying the given UIDs do not exist, create ACL entries explicitly specifying the given UIDs with permissions same as owner user excluding write permission.
  2. If an ACL entry explicitly specifying the owner group does not exist, create an ACL entry explicitly specifying the owner group with permissions same as owner group.
  3. If the ACL is changed, calculate the mask entry.

On the other hand, this program processes ACLs for unset operation:

  1. Remove ACL entries explicitly specifying the given UIDs.
  2. If an ACL entry explicitly specifying a user, an ACL entry explicitly specifying a group other than the owner group, or a default ACL entry exists, finish processing the file.
  3. Otherwise, if an ACL entry explicitly specifying the owner group exists and its permissions match the permissions of the owner group ACL entry, remove the ACL entry explicitly specifying the owner group.
  4. Remove the mask entry.
  5. If an ACL entry explicitly specifying a user or a group exists, calculate the mask entry.

Bash script

A Bash script qnap-lxd-unpriv.sh is located under bash directory. It functions nearly same as the above mentioned program, however it should be considered as a prototype for reference purposes because:

  • it is much slower than the Python version. It takes a few minutes (SSD on TS-453D) while the Python version runs in a few seconds.
  • it accepts only one UID.
  • it is not tested as the Python version.

Contributing

Please open a new issue if you find a problem. Pull requests are also welcome.

Licenses

Copyright 2022 kobarity

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

A country information finder module

A country information finder module

Fayas Noushad 3 Nov 28, 2021
Audio2Face - a project that transforms audio to blendshape weights,and drives the digital human,xiaomei,in UE project

Audio2Face - a project that transforms audio to blendshape weights,and drives the digital human,xiaomei,in UE project

FACEGOOD 732 Jan 08, 2023
A simple website-based resource monitor for slurm system.

Slurm Web A simple website-based resource monitor for slurm system. Screenshot Required python packages flask, colored, humanize, humanfriendly, beart

Tengda Han 17 Nov 29, 2022
On this repo, you'll find every codes I made during my NSI classes (informatical courses)

👨‍💻 👩‍💻 school-codes On this repo, you'll find every codes I made during my NSI classes (informatical courses) French for now since this repo is d

EDM 1.15 3 Dec 17, 2022
Free components that wrap up Python into Delphi and Lazarus (FPC)

Python for Delphi (P4D) is a set of free components that wrap up the Python DLL into Delphi and Lazarus (FPC). They let you easily execute Python scri

747 Jan 02, 2023
A hackers attempt at an MVP anki plugin

my anki plugin if you have found this by accident, you should probably run away this is nothing more than a hackers attempt at an MVP anki plugin I re

Chris Hall 1 Nov 02, 2021
Python bindings for `ign-msgs` and `ign-transport`

Python Ignition This project aims to provide Python bindings for ignition-msgs and ignition-transport. It is a work in progress... C++ and Python libr

Rhys Mainwaring 3 Nov 08, 2022
Repository to store sample python programs for python learning

py Repository to store sample Python programs. This repository is meant for beginners to assist them in their learning of Python. The repository cover

codebasics 5.8k Dec 30, 2022
Uma moeda simples e segura!

SecCoin - Documentação A SecCoin foi criada com intuito de ser uma moeda segura, de fácil investimento e mineração. A Criptomoeda está na sua primeira

Sec-Coin Team 5 Dec 09, 2022
Developing and Comparing Vision-based Algorithms for Vision-based Agile Flight

DodgeDrone: Vision-based Agile Drone Flight (ICRA 2022 Competition) Would you like to push the boundaries of drone navigation? Then participate in the

Robotics and Perception Group 115 Dec 10, 2022
a simple proof system I made to learn math without any mistakes

math_up a simple proof system I made to learn math without any mistakes 0. Short Introduction test yourself, enjoy your math! math_up is an NBG-based,

양현우 5 Jun 04, 2021
Very efficient backup system based on the git packfile format, providing fast incremental saves and global deduplication

Very efficient backup system based on the git packfile format, providing fast incremental saves and global deduplication (among and within files, including virtual machine images). Current release is

bup 6.9k Dec 27, 2022
tagls is a language server based on gtags.

tagls tagls is a language server based on gtags. Why I wrote it? Almost all modern editors have great support to LSP, but language servers based on se

daquexian 31 Dec 01, 2022
Banking management project using Tkinter GUI in python.

Bank-Management Banking management project using Tkinter GUI in python. Packages required Tkinter - Tkinter is the standard GUI library for Python. sq

Anjali Kumawat 7 Jul 03, 2022
Just imagine normal bancho, but you can have multiple profiles and funorange speed up maps ranked

Local osu! server Just imagine normal bancho, but you can have multiple profiles and funorange speed up maps ranked (coming soon)! Windows Setup Insta

Cover 25 Nov 15, 2022
Play tic-tac-toe in PowerPoint

The presentation has around 6,000 slides representing every possible game state (and some impossible ones, since I didn't check for wins or ties). You play by clicking on the squares, which are hyper

Jesse Li 3 Dec 18, 2021
Heads Down Application for Mac OSX

Heads Down A Mac app that lives in your ribbon—with a click of the mouse, temporarily block distracting websites and applications to encourage "heads

20 Mar 10, 2021
Awesome Cheatsheet

Awesome Cheatsheet List of useful cheatsheets Inspired by @sindresorhus awesome and improved by these amazing contributors. If you see a link here is

detailyang 6.5k Jan 07, 2023
To check my COVID-19 vaccine appointment, I wrote an infinite loop that sends me a Whatsapp message hourly using Twilio and Selenium. It works on my Raspberry Pi computer.

COVID-19_vaccine_appointment To check my COVID-19 vaccine appointment, I wrote an infinite loop that sends me a Whatsapp message hourly using Twilio a

Ayyuce Demirbas 24 Dec 17, 2022
Python script to automate the change of desktop background

wallomator Python script to automate the change of desktop background A python script that automates the process of changing the desktop background. I

Mohammed Haaris Javed 10 Jun 16, 2022