Add userns_idmap field to accounts
Description
Problem/Justification
None
Impact
None
is child of
relates to
Activity
Show:

Bug Clerk February 25, 2025 at 1:28 PM
This issue has now been closed. Comments made after this point may not be viewed by the TrueNAS Teams. Please open a new issue if you have found a problem or need to re-engage with the TrueNAS Engineering Teams.

Bug Clerk February 25, 2025 at 4:15 AM

Bug Clerk February 25, 2025 at 4:15 AM
25.04-RC.1 PR: https://github.com/truenas/middleware/pull/15833
Complete
Pinned fields
Click on the next to a field label to start pinning.
Details
Details
Assignee

Reporter

Components
Affects versions
Priority
More fields
Time tracking
More fields
Time trackingKatalon Platform
Linked Test Cases, Katalon Defect Results, Katalon Studio Test Results
Katalon Platform
Linked Test Cases, Katalon Defect Results, Katalon Studio Test Results
Created February 24, 2025 at 8:57 PM
Updated March 7, 2025 at 1:10 PM
Resolved February 25, 2025 at 1:28 PM
25.04.0 PR: https://github.com/truenas/middleware/pull/15832
This commit adds a field to user and group accounts to map the id in host to containers. This is intended to be used to simplify permissions management for processes in hosts and containers.
The possible values for this field are:
None - do not map the account
"DIRECT" - map it to the same ID as in host
integer - valid uid / gid greater than zero
Validation Errors are raised if the user or group is privileged from the perspective of middleware (has one or more roles defined). This is to reduce the risk of privilege escalation if the process running in a container somehow gets access to the middlewared AF_UNIX socket.
A new method under the virt.instance namespace "get_account_idmaps" is added in order to provide details for a follow-on PR to use this information on incus instance start to write a custom idmap configuration.
The following is a brief example of using group userns_idmap. Generally, it's more efficient to use group membership to control access to filesystem resources.
Example: common groups between host and containers:
-------------------------------------------------------------
1. User has a dataset `dozer/MEDIA`
2. admin creates a "media_access_write" group on the TrueNAS host and sets `userns_idmap="DIRECT"` for the group.
3. admin sets an ACL entry on `dozer/MEDIA` that grants write access for the media_access_write group.
Once this initial setup has been completed, the admin can grant local users access to the `dozer/MEDIA` dataset by making them members of the "media_access_write" group, and can also grant access to a user in a container by creating a group with the same gid in the container and assigning making the group in the container a member of the new group.