Regression: rootless podman does not consider user supplementary group when mounting volume/file #1855
Description
Issue Description
After updating podman and crun I find that the mounting of volumes in rootless podman is no longer perfomed with the full host user permissions but rather with the container user permissions. In my case the path to the mounted file requires a supplementary group to be accessed (which the host user has) and crun fails to mount this folder in the latest version because the container user does not have these permissions.
Is this is an intentional change? It feels wrong because the container user should have no relation to the volume path on the host machine.
[test] | Error: unable to start container 9e9716c809ace9571fb33b9d7f340ba52ae1885e9f629a6686a89f292ceccf59: crun: cannot stat `/test/testfile.txt`: Permission denied: OCI permission denied
I mount a file /test/testfile.txt that is fully accessable by the current user, but resides inside a folder that is accessible by the current user captain through a group userdata. podman/crun fails to mount the file into the container.
$ ls -ld /test /test/testfile.txt
drwxrwx--- 2 root userdata 4096 Aug 16 16:48 /test
-rw-r--r-- 1 captain captain 5 Aug 16 16:43 /test/testfile.txt
$ id
uid=1000(captain) gid=1000(captain) groups=1000(captain),10(wheel),1000000(userdata)
Note that the container runs rootless on the host, and rootfull inside the container. And the userdata group is not inherited by the container. When the container group is changed to userdata crun is able to mount the folder.
The issue has appeared directly after updating to the latest version, and it used to work on the old version.
crun 1.21-1 -> 1.23.1-1
podman 5.5.1 -> 5.5.2
Since there aren't any changes between these podman versions I'm guessing this is an crun issue.
compose.yaml
services:
test:
image: docker.io/alpine:latest
volumes:
- /test/testfile.txt:/testfile.txt
Steps to reproduce the issue
Steps to reproduce the issue
- create file structure as described
- podman-compose up
Describe the results you received
crun: cannot stat /test/testfile.txt: Permission denied: OCI permission denied
Describe the results you expected
crun is able to mount the file
podman info output
host:
arch: amd64
buildahVersion: 1.40.1
cgroupControllers:
- cpu
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.13-1.fc42.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.13, commit: '
cpuUtilization:
idlePercent: 98.04
systemPercent: 0.75
userPercent: 1.21
cpus: 4
databaseBackend: sqlite
distribution:
distribution: fedora
version: "42"
eventLogger: journald
freeLocks: 1987
hostname: fedora
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
- container_id: 65537
host_id: 1000000
size: 1
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
kernel: 6.15.9-201.fc42.x86_64
linkmode: dynamic
logDriver: journald
memFree: 20067323904
memTotal: 33429540864
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns-1.15.0-1.fc42.x86_64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 1.15.0
package: netavark-1.15.2-1.fc42.x86_64
path: /usr/libexec/podman/netavark
version: netavark 1.15.2
ociRuntime:
name: crun
package: crun-1.23.1-1.fc42.x86_64
path: /usr/bin/crun
version: |-
crun version 1.23.1
commit: d20b23dba05e822b93b82f2f34fd5dada433e0c2
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: passt-0^20250805.g309eefd-2.fc42.x86_64
version: |
pasta 0^20250805.g309eefd-2.fc42.x86_64
Copyright Red Hat
GNU General Public License, version 2 or later
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
remoteSocket:
exists: true
path: /run/user/1000/podman/podman.sock
rootlessNetworkCmd: pasta
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: false
serviceIsRemote: false
slirp4netns:
executable: ""
package: ""
version: ""
swapFree: 12884893696
swapTotal: 12884893696
uptime: 10h 16m 24.00s (Approximately 0.42 days)
variant: ""
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.io
store:
configFile: /home/captain/.config/containers/storage.conf
containerStore:
number: 21
paused: 0
running: 15
stopped: 6
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/captain/.local/share/containers/storage
graphRootAllocated: 48281440256
graphRootUsed: 25500487680
graphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "true"
Supports d_type: "true"
Supports shifting: "false"
Supports volatile: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 238
runRoot: /run/user/1000/containers
transientStore: false
volumePath: /home/captain/.local/share/containers/storage/volumes
version:
APIVersion: 5.5.2
BuildOrigin: Fedora Project
Built: 1750723200
BuiltTime: Tue Jun 24 02:00:00 2025
GitCommit: e7d8226745ba07a64b7176a7f128e4ef53225a0e
GoVersion: go1.24.4
Os: linux
OsArch: linux/amd64
Version: 5.5.2Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
No