How to let www-data user inside the container keep write access while having userns=auto?

[Abastro]

I am trying to use userns=auto for better security using namespaces, but keep getting stuck to roadblocks.

For instance, the Nextcloud container has the root user handle initial launch, and then www-data user manages all the data after launch.

This means any nextcloud data should be owned by www-data, not the root user. However, this quickly becomes a problem with userns=auto, since the user id is variable in this case. Chowning the volume (:U) only makes the files owned by the root, so www-data user cannot access the files.

Is podman just not suited for this kind of usecase? Currently I have resorted to userns=keep-id, but this has me wondering: is podman even more secure than docker in this setup?

[Luap99]

There is #19437 as request to specify another uid

But if you are using rootful containers you likely should be using :idmap instead as it avoids the expensive chown and just does a single mount that translates the ids just in the container while keeping the original ones on the host.

[Abastro]

@Luap99 Thanks! By idmap, you mean the option for volumes, right?

[Luap99]

yes, see Idmapped mount in the podman create/run man page. If the default mapping is not what you like you can even specify a custom id mapping.

[satriamjati]

I set ACL to avoid any files created for the root

sudo setfacl -R -m u:100032:rwx /srv/nextcloud
sudo setfacl -R -m d:u:100032:rwx /srv/nextcloud