Change ACLs for QNAP LXD unprivileged container.

Overview

qnaplxdunpriv

If Advanced Folder Permissions is enabled in QNAP NAS, unprivileged LXD containers won't start. qnaplxdunpriv changes ACLs of some Container Station files to enable running unprivileged LXD containers.

Please make sure to backup your NAS before using this program, and use this program at your own risk.

Usage

Prebuilt Docker image (amd64) to run this program is available at kobarity/qnaplxdunpriv. So if you are using amd64 NAS, you can run the image as following:

docker run -v "$(echo /share/CACHEDEV*_DATA/.qpkg/container-station):/Station" -v /share/Container:/Container --rm kobarity/qnaplxdunpriv set 1000000

where the last argument indicates the UID you are going to use for the unprivileged container. The UID can be specified in security.idmap.base configuration of LXD containers and defaults to 1000000.

INFO:Completed message will be shown if it completes changing ACLs without any errors.

To undo the changes, specify unset instead of set.

Usage of this program is show below:

usage: qnaplxdunpriv.py [-h] [--dry-run] [--station STATION]
                        [--container CONTAINER]
                        {set,unset} uid [uid ...]

Change ACLs for QNAP LXD unprivileged container.

positional arguments:
  {set,unset}           "set" or "unset"
  uid                   UID for unprivileged containers

options:
  -h, --help            show this help message and exit
  --dry-run             print new ACLs without actually changing any files
                        (default: False)
  --station STATION     directory corresponding to Container Station folder
                        which can be obtained by
                        "/share/CACHEDEV*_DATA/.qpkg/container-station"
                        (default: /Station)
  --container CONTAINER
                        directory corresponding to "/share/Container" shared
                        folder (default: /Container)

If you are using ARM architecture NAS or are willing to use your own Docker image, clone the source code from qnaplxdunpriv and build the image under python directory as following:

docker build -t qnaplxdunpriv .

Caveat

After changing ACLs, users other than admin and not in administrators group will lose access to files whose ACLs are changed. This is caused by the QNAP's own implementation of ACLs mentioned in What's wrong with ACL?. In many cases, this should not be a problem because users other than admin and not in administrators group typically do not need to access these files. However, if you need to grant access to some users or groups, a workaround is to add ACL entries explicitly allows the users or groups to access these files.

Background

Marco Trevisan kindly provided a script to change ACLs to enable running unprivileged LXD containers in Failing to start unprivileged container (QNAP) thread. However, simply adding an ACL entry would result in users other than admin (including users in administrators group) being unable to execute commands such as docker or lxc due to the QNAP's own implementation of ACLs mentioned in What's wrong with ACL?.

To address this issue, this program processes ACLs for set operation:

  1. If ACL entries explicitly specifying the given UIDs do not exist, create ACL entries explicitly specifying the given UIDs with permissions same as owner user excluding write permission.
  2. If an ACL entry explicitly specifying the owner group does not exist, create an ACL entry explicitly specifying the owner group with permissions same as owner group.
  3. If the ACL is changed, calculate the mask entry.

On the other hand, this program processes ACLs for unset operation:

  1. Remove ACL entries explicitly specifying the given UIDs.
  2. If an ACL entry explicitly specifying a user, an ACL entry explicitly specifying a group other than the owner group, or a default ACL entry exists, finish processing the file.
  3. Otherwise, if an ACL entry explicitly specifying the owner group exists and its permissions match the permissions of the owner group ACL entry, remove the ACL entry explicitly specifying the owner group.
  4. Remove the mask entry.
  5. If an ACL entry explicitly specifying a user or a group exists, calculate the mask entry.

Bash script

A Bash script qnap-lxd-unpriv.sh is located under bash directory. It functions nearly same as the above mentioned program, however it should be considered as a prototype for reference purposes because:

  • it is much slower than the Python version. It takes a few minutes (SSD on TS-453D) while the Python version runs in a few seconds.
  • it accepts only one UID.
  • it is not tested as the Python version.

Contributing

Please open a new issue if you find a problem. Pull requests are also welcome.

Licenses

Copyright 2022 kobarity

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Standard mutable string (character array) implementation for Python.

chararray A standard mutable character array implementation for Python.

Tushar Sadhwani 3 Dec 18, 2021
Projects and assets from Wireframe #56

Wireframe56 Projects and assets from Wireframe #56 Make a Boulder Dash level editor in Python, pages 50-57, by Mark Vanstone. Code an homage to Bubble

Wireframe magazine 10 Sep 07, 2022
使用京东cookie一键生成所有退会链接

JDMemberCloseLinks 本项目旨在使用京东cookie一键生成所有退会链接

hyzaw 68 Jun 10, 2022
A simple python project which control paint brush in microsoft paint app

Paint Buddy In Python A simple python project which control paint brush in micro

Ordinary Pythoneer 1 Dec 27, 2021
A set of decks and notebooks with exercises for use in a hands-on causal inference tutorial session

intro-to-causal-inference A introduction to causal inference using common tools from the python data stack Table of Contents Getting Started Install g

Roni Kobrosly 15 Dec 07, 2022
This python module allows to extract data from the RAW-file-format produces by devices from Thermo Fisher Scientific.

fisher_py This Python module allows access to Thermo Orbitrap raw mass spectrometer files. Using this library makes it possible to automate the analys

8 Oct 14, 2022
YourX: URL Clusterer With Python

YourX | URL Clusterer Screenshots Instructions for running Install requirements

ARPSyndicate 1 Mar 11, 2022
An integrated library for checking email if it is registered on social media

An integrated library for checking email if it is registered on social media

Sidra ELEzz 13 Dec 08, 2022
A collection of UIKit components that can be used as a Wagtail StreamField block.

Wagtail UIKit Blocks A collection of UIKit components that can be used as a Wagtail StreamField block. Available UIKit components Container Grid Headi

Krishna Prasad K 13 Dec 15, 2022
Script de monitoramento das teclas do teclado, salvando todos os dados digitados em um arquivo de log juntamente com os dados de rede.

listenerPython Script de monitoramento das teclas do teclado, salvando todos os dados digitados em um arquivo de log juntamente com os dados de rede.

Vinícius Azevedo 4 Nov 27, 2022
Some Python scripts that fx(hash) users might find useful.

fx_hash_utils Some Python scripts that fx(hash) users might find useful. get_images This script downloads all the static images of the tokens generate

30 Oct 05, 2022
【幼盾】个性化图片徽章服务!

【幼盾】个性化图片徽章服务! 你对方形的徽章感到无聊了吗?想要定制属于自己的开源项目徽章了吗? 快来使用unv-shield吧! unv-shield提供包含自定义图片的徽章服务,可以让你的项目主页更加个性化!

黄巍 130 Dec 23, 2022
A complex language with high level programming and moderate syntax.

zsq a complex language with high level programming and moderate syntax.

an aspirin 6 Jun 25, 2022
Pseudometa's dotfiles

pseudometa's dotfiles Table of Contents Why this repository? How this Repository works Special Explanations Got an idea for an improvement? Contact Wh

pseudometa 23 Dec 27, 2022
A self contained invitation management system for gatekeeping.

Invitease Description A self contained invitation management system for gatekeeping. Purpose Serves as a focal point for inviting guests to a venue pr

מעגן מיכאל 7 Jul 19, 2022
Track testrail productivity in automated reporting to multiple teams

django_web_app_for_testrail testrail is a test case management tool which helps any organization to track all consumption and testing of manual and au

Vignesh 2 Nov 21, 2021
Streamlit — The fastest way to build data apps in Python

Welcome to Streamlit 👋 The fastest way to build and share data apps. Streamlit lets you turn data scripts into sharable web apps in minutes, not week

Streamlit 22k Jan 06, 2023
An implementation of an interpreter for the Brainfuck esoteric language in Python

Brainfuck Interpreter in Python An implementation of an interpreter for the Brainfuck esoteric language in Python. 🧠 The Brainfuck Language Created i

Carlos Santos 0 Feb 01, 2022
A dot matrix rendered using braille characters.

⣿ dotmatrix A dot matrix rendered using braille characters. Description This library provides class called Matrix which represents a dot matrix that c

Tim Fischer 25 Dec 12, 2022
The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss.

The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss. Greater accuracy is achieved thanks to the line-by-line comparison of

197 Nov 14, 2022