Unable to shift mount a host directory: The "shift" property cannot be used with a restricted source path

Incus
,
1

Hi everyone.

I’m trying to mount a directory from the host into a container, and give root read and write permissions in that. I found that using the disk device with the shift=true option seems to be exactly what I need.

I’ve tested this from the root user on the host, and it’s working well.

root@MyPC:~# ls -lh
total 4.0K
drwxr-xr-x 2 root root 4.0K Jul 23 13:30 testdir

root@MyPC:~# incus launch images:alpine/3.20 ctner-root
Launching ctner-root


root@MyPC:~# incus config device add ctner-root test-vol disk source=/root/testdir path=/testdir shift=true
Device test-vol added to ctner-root

However, when I switch to a normal user (in group incus, of course), the same command doesn’t work.

[~]$ ls -lh        
total 4.0K
drwxrwxr-x  2 me me 4.0K Jul 23 13:44 testdir

[~]$ incus launch images:alpine/3.20 ctner-user
Launching ctner-user

[~]$ incus config device add ctner-user test-vol disk source=/home/me/testdir path=/testdir shift=true
Error: Failed to start device "test-vol": The "shift" property cannot be used with a restricted source path

I did some search and found that this message might be related to the restricted project. But it looks like I’m launching a single container directly. Or am I missing something?

Could you please let me know what’s causing this issue? Any ideas on how I can get around this?

Just to give you a heads-up, my OS environment is:

  • OS: Debian Trixie (Testing) amd64
  • Incus: version 6.0.1

Please bear with me as I’m trying to find a way to mount the directory that might be as simple as docker’s -v, without a lot of extra configuration. So I would prefer not to go down the route of changing the /etc/subuid and /etc/subgid like most posts usually do if I can get the shift option to do the trick instead. Please also let me know if I’ve got any key information wrong.

Thanks in advance! :blush:

2

Per the Incus documentation, there are two Unix groups,

  1. incus, allows basic user access, no configuration and all actions restricted to a per-user project.
  2. incus-admin, allows full control over Incus.

Perhaps you need to switch to the incus-admin Unix group in order to apply the shift property to a container?

3

Thanks for your advice. However, I have tried to change my account to incus-admin group, but I found the same error exists.

I have confirmed that the same mount command works without the shift=true option. Even if I am in the incus group.

[~]$ incus config device add ctner-user test-vol disk source=/home/me/testdir path=/testdir shift=true
Error: Failed to start device "test-vol": The "shift" property cannot be used with a restricted source path

[~]$ incus config device add ctner-user test-vol disk source=/home/me/testdir path=/testdir           
Device test-vol added to ctner-user

[~]$ incus exec ctner-user -- /bin/ash                         
~ # echo "Hello" > /testdir/test.txt
/bin/ash: can't create /testdir/test.txt: Permission denied

Do you have any other idea? Anyway, thank you very much for your reply.

4

That’s mostly likely because you’re still operating within your user-specific restricted project.
incus project list will likely show you interacting with a user-XYZ project.

There are a couple of things you could do:

  • Switch to the default project (incus project switch) and set things up in there instead
  • Edit your project (incus project edit) and remove the restrictions (restricted=false should do it)
1 Like
5

Thanks for the detailed explanation. That’s the solution.

In addition to your solution, I’ve also tried to set the restricted.devices.disk.paths line of the project configuration to an empty string "", and it worked too.

- restricted.devices.disk.paths: /home/xxx
+ restricted.devices.disk.paths: ""

For those who are having the same problem and have ended up here, I’d also suggest reading this to help you avoid a potential root exploit.

1 Like