permission issue with host devices and ssh

[Viatorus]

Hello,

I try to access a host device inside a container while being connected through ssh.

I use --userns keep-id --group-add keep-groups --device /dev/ttyS0 when running the container.

Inside the container, I can call cat /ttyS0 without a problem. id shows:

uid=1000(newuser) gid=1000(newuser) groups=1000(newuser),65534(nogroup)

If I connect me through ssh, I get Permission denied wtih cat /ttyS0. id shows:

uid=1000(newuser) gid=1000(newuser) groups=1000(newuser)

How do I get the correct group rights when using ssh?

My minimal example:
https://gist.github.com/Viatorus/278266a421443e46bfa53f045a6bd474

[rhatdan]

Are you ssh into the container? Only the primary process (pid 1) of the container is guaranteed access to the leaked group sockets.

[Viatorus]

Are you ssh into the container?
Yes, I ssh into the container.

Only the primary process (pid 1) of the container is guaranteed access to the leaked group sockets.
Ah, I thought about something like this... :/

But what can I do to make it also work inside a SSH session?

[Viatorus]

Are the uid/gid also different? :(

[rhatdan]

You could take the hosts GID and map it to itself within the container.

If this is a systemd based container running sshd then that would be the only way.

If you are running sshd as PID 1 inside of the container, then you might be able to get sshd to leak the file descriptor to the session, although I doubt you can.

Why are you ssh into the container versus using podman exec?

[Viatorus]

You could take the hosts GID and map it to itself within the container.

Can you explain this in more detail, please?

Why are you ssh into the container versus using podman exec?

The IDE we are using (CLion/Intellij) works - as I am aware of - only reliable good if the container with the developer environment is connected through ssh. The dev environment but also contains tools like "flash a device over /dev/tty..." which can be directly executed from the IDE.

[rhatdan]

Say the GID required for access is GID 10. Then all users of the tool would need to have

USER 10:10:1

In the /etc/subgid.

[KilinW]

I encounter the same problem too. We have a NFS mounted NAS that require the user to have specific group to read some data. I'm used to use the container via terminal or dev-container which is totally fine. But some user have IDE that can only with with ssh. And I was unable to make ssh process to have the group that Podman map.
Currently I just simply configure the permission in NAS manually user-by-user without groups. I just wonder if there are any proper method to do this nowadays.

[eriksjolund]

I wonder if this is related:

Note keep-groups can only work if the container itself does not call setgroups()

quote from

#25172 (comment)

Searching for setgroups in openssh code base:

https://github.com/search?q=repo%3Aopenssh%2Fopenssh-portable%20setgroups&type=code

result: setgroups is used in the openssh code base

[worldxc]

如果需要sshd服务并且需要用户附加组信息, 可以使用dropbear替代openssh. 取消其中的initgroups调用即可, 这当然有其他安全问题, 如果以rootless方式运行的容器中只有一个root用户也可以接受.