Group-write permissions between host and container

I followed a bunch of suggestions and tried to adapt them to my situation, but cannot seem to get this right…

Goal: Have a group of users in containers be allowed to write to certain directories on the host

What I tried:

[container ‘test’]
addgroup -gid 2000 hostwrite – create ‘hostwrite’ group
usermod -aG hostwrite ubuntu – add ‘ubuntu’ user to group ‘hostwrite’

addgroup -gid 1100 lxdshare – create share group
usermod -aG lxdshare myuser – add myself to the share group
mkdir /mnt/share – create directory on host
chgrp lxdshare /mnt/share – make it owned by the lxdshare group
chmod g+wx /mnt/share – make the directory writeable by group
printf “lxd:1100:1\nroot:1100:1\n” | sudo tee -a /etc/subgid – allow remapping of lxdshare group id in /etc/subgid
lxc config test set raw.idmap “gid 1100 2000” – map host group id 1100 to container group id 2000
lxc config device add test share disk source=/mnt/share path=/share – map host /mnt/share to container /share
systemctl restart lxd – restart LXD
lxc restart test – restart ‘test’ container

Now when I log in as ‘ubuntu’ into container ‘test’ and look at /share, it says:

drwxrwxr-x 3 nobody hostwrite … share

The ‘nobody:hostwrite’ instead of the ‘nobody:nobody’ makes me think things worked out, but when i try to write to the directory, I get an error:

touch: cannot touch ‘/share/testfile’: Permission denied

Am I missing something? Any thoughts?

Did you try running newgrp hostwrite in the container to effectively switch your primary group to the one for that directory?

That works as desired. Thanks!

So, if I have a bunch of system users (for various binaries) that I want to be able to write to host, do I need to make ‘hostwrite’ their primary group during user creation, or is there another way?

Also, the other way I’ve seen this issue solved is by allowing the container group ID write access to a directory via setfacl without doing the group/user ID mapping. Is there a benefit of one way over the other?

Making that group their primary group should indeed work fine, otherwise you can feed a script to newgrp too, so something like exec /path/to/script | newgrp hostwrite should have newgrp change the default group and then exec /path/to/script.

ACLs are mostly useful if you need a bunch of users or groups to have access to the same path but it can get a bit tricky to administer and backup.

Thank you.