Change ACLs for QNAP LXD unprivileged container.

Overview

qnaplxdunpriv

If Advanced Folder Permissions is enabled in QNAP NAS, unprivileged LXD containers won't start. qnaplxdunpriv changes ACLs of some Container Station files to enable running unprivileged LXD containers.

Please make sure to backup your NAS before using this program, and use this program at your own risk.

Usage

Prebuilt Docker image (amd64) to run this program is available at kobarity/qnaplxdunpriv. So if you are using amd64 NAS, you can run the image as following:

docker run -v "$(echo /share/CACHEDEV*_DATA/.qpkg/container-station):/Station" -v /share/Container:/Container --rm kobarity/qnaplxdunpriv set 1000000

where the last argument indicates the UID you are going to use for the unprivileged container. The UID can be specified in security.idmap.base configuration of LXD containers and defaults to 1000000.

INFO:Completed message will be shown if it completes changing ACLs without any errors.

To undo the changes, specify unset instead of set.

Usage of this program is show below:

usage: qnaplxdunpriv.py [-h] [--dry-run] [--station STATION]
                        [--container CONTAINER]
                        {set,unset} uid [uid ...]

Change ACLs for QNAP LXD unprivileged container.

positional arguments:
  {set,unset}           "set" or "unset"
  uid                   UID for unprivileged containers

options:
  -h, --help            show this help message and exit
  --dry-run             print new ACLs without actually changing any files
                        (default: False)
  --station STATION     directory corresponding to Container Station folder
                        which can be obtained by
                        "/share/CACHEDEV*_DATA/.qpkg/container-station"
                        (default: /Station)
  --container CONTAINER
                        directory corresponding to "/share/Container" shared
                        folder (default: /Container)

If you are using ARM architecture NAS or are willing to use your own Docker image, clone the source code from qnaplxdunpriv and build the image under python directory as following:

docker build -t qnaplxdunpriv .

Caveat

After changing ACLs, users other than admin and not in administrators group will lose access to files whose ACLs are changed. This is caused by the QNAP's own implementation of ACLs mentioned in What's wrong with ACL?. In many cases, this should not be a problem because users other than admin and not in administrators group typically do not need to access these files. However, if you need to grant access to some users or groups, a workaround is to add ACL entries explicitly allows the users or groups to access these files.

Background

Marco Trevisan kindly provided a script to change ACLs to enable running unprivileged LXD containers in Failing to start unprivileged container (QNAP) thread. However, simply adding an ACL entry would result in users other than admin (including users in administrators group) being unable to execute commands such as docker or lxc due to the QNAP's own implementation of ACLs mentioned in What's wrong with ACL?.

To address this issue, this program processes ACLs for set operation:

  1. If ACL entries explicitly specifying the given UIDs do not exist, create ACL entries explicitly specifying the given UIDs with permissions same as owner user excluding write permission.
  2. If an ACL entry explicitly specifying the owner group does not exist, create an ACL entry explicitly specifying the owner group with permissions same as owner group.
  3. If the ACL is changed, calculate the mask entry.

On the other hand, this program processes ACLs for unset operation:

  1. Remove ACL entries explicitly specifying the given UIDs.
  2. If an ACL entry explicitly specifying a user, an ACL entry explicitly specifying a group other than the owner group, or a default ACL entry exists, finish processing the file.
  3. Otherwise, if an ACL entry explicitly specifying the owner group exists and its permissions match the permissions of the owner group ACL entry, remove the ACL entry explicitly specifying the owner group.
  4. Remove the mask entry.
  5. If an ACL entry explicitly specifying a user or a group exists, calculate the mask entry.

Bash script

A Bash script qnap-lxd-unpriv.sh is located under bash directory. It functions nearly same as the above mentioned program, however it should be considered as a prototype for reference purposes because:

  • it is much slower than the Python version. It takes a few minutes (SSD on TS-453D) while the Python version runs in a few seconds.
  • it accepts only one UID.
  • it is not tested as the Python version.

Contributing

Please open a new issue if you find a problem. Pull requests are also welcome.

Licenses

Copyright 2022 kobarity

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Demo of connecting Rasa with Zalo

Demo of connecting Rasa with Zalo

6 Jul 25, 2022
Generates images with semantic content from distribution A in the style of distribution B

A2B Generates images with semantic content from distribution A in the style of d

Richard Herbert 2 Dec 27, 2021
Repository for my Monika Assistant project

Monika_Assistant Repository for my Monika Assistant project Major changes: Added face tracker Added manual daily log to see how long it takes me to fi

3 Jan 10, 2022
En este repositorio realizaré la tarea del laberinto.

Laberinto Perfil de GitHub del autor de este proyecto: @jmedina28 En este repositorio queda resuelta la composición de un laberinto 5x5 con sus muros

Juan Medina 1 Dec 11, 2021
Cool little Python scripts & projects I've made.

Little Python Projects A repository for neat little Python scripts I've made! How to run a script: *NOTE: You'll need to install Python v3 or higher.

dood 1 Jan 19, 2022
Hitchhikers-guide - The Hitchhiker's Guide to Data Science for Social Good

Welcome to the Hitchhiker's Guide to Data Science for Social Good. What is the Data Science for Social Good Fellowship? The Data Science for Social Go

Data Science for Social Good 907 Jan 01, 2023
Este script añade la config de s4vitar a bspwm automaticamente!

Se ha testeado este script en ParrotOS, Kali y Ubuntu. Funciona para todos los sistemas operativos basados en Debian. Instalación git clone https://gi

yorkox 201 Dec 30, 2022
End-to-End text sumarization, QAs generation using flask.

Help-Me-Read A web application created with Flask + BootStrap + HuggingFace 🤗 to generate summary and question-answer from given input text. It uses

Ankush Kuwar 12 Nov 13, 2022
EasyBuild is a software build and installation framework that allows you to manage (scientific) software on High Performance Computing (HPC) systems in an efficient way.

EasyBuild is a software build and installation framework that allows you to manage (scientific) software on High Performance Computing (HPC) systems in an efficient way.

EasyBuild community 87 Dec 27, 2022
Media Cloud Outlet Filtering

Using ABYZ and Media-Bias Fact-Check outlet databases, I've provided outlet CSV files for both and scripts to intended to match Media Cloud files to respective outlets.

Stephen Scarano 1 Feb 02, 2022
EFB Docker image with efb-telegram-master and efb-wechat-slave

efb-wechat-docker EFB Docker image with efb-telegram-master and efb-wechat-slave Features Container run by non-root user. Support add environment vari

Haukeng 1 Nov 10, 2022
Explore related sequences in the OEIS

OEIS explorer This is a tool for exploring two different kinds of relationships between sequences in the OEIS: mentions (links) of other sequences on

Alex Hall 6 Mar 15, 2022
Python Freecell Solver

freecell Python Freecell Solver Very early version right now. You can pick a board by changing the file path in freecell.py If you want to play a game

Ben Kaufman 1 Nov 26, 2021
🌌 Economics Observatory Visualisation Repository

Economics Observatory Visualisation Repository Website | Visualisations | Data | Here you will find all the data visualisations and infographics attac

Economics Observatory 3 Dec 14, 2022
Student Result Management System Project in tkinter created based on python, tkinter, and SQLITE3 Database

Student-Result-Management-System This Student Result Management System Project in tkinter created based on python, tkinter, and SQLITE3 Database. The

Ravi Chauhan 2 Aug 03, 2022
A python program for rick rolling people.

Rickware A python program for rick rolling people. (And annoying them too) What is rick roll? Read this wikipedia article - Rickrolling About program

2 Jan 18, 2022
Python MapReduce library written in Cython.

Python MapReduce library written in Cython. Visit us in #hadoopy on freenode. See the link below for documentation and tutorials.

Brandyn White 243 Sep 16, 2022
This wishes a mentioned users on their birthdays

BirthdayWisher Requirements: "mysqlserver", "email id and password", "Mysqlconnector" In-Built Modules: "smtplib", "datetime","imghdr" In Mysql: A tab

vellalaharshith 1 Sep 13, 2022
A simple streamlit webapp with multiple functionality

A simple streamlit webapp with multiple functionality

Omkar Pramod Hankare 2 Nov 24, 2021
Software for visualization of RTStruct structures on CT images

This script is responsible for the operation of the program, it is responsible for both creating the GUI and the process of processing images from dicom files. The program is based on the use of the

Adam Piszczek 0 Jun 29, 2022