我无法更改文件的所有者(我以 root 身份登录)。
输出chown root Shrek.avi:
chown: changing ownership of 'Shrek.avi': Operation not permitted
输出chattr -i Shrek.avi:
chattr: Permission denied while reading flags on Shrek.avi
输出strace chattr -i Shrek.avi:
execve("/usr/bin/chattr", ["chattr", "-i", "Shrek.avi"], 0x7ffd5a2a56f0 /* 24 vars */) = 0
brk(NULL) = 0x55a268bd4000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=32282, ...}) = 0
mmap(NULL, 32282, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fd25ebeb000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libe2p.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p3\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=44976, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd25ebe9000
mmap(NULL, 47680, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd25ebdd000
mprotect(0x7fd25ebe0000, 28672, PROT_NONE) = 0
mmap(0x7fd25ebe0000, 16384, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7fd25ebe0000
mmap(0x7fd25ebe4000, 8192, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7000) = 0x7fd25ebe4000
mmap(0x7fd25ebe7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x9000) = 0x7fd25ebe7000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libcom_err.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\"\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=18344, ...}) = 0
mmap(NULL, 20648, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd25ebd7000
mmap(0x7fd25ebd9000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7fd25ebd9000
mmap(0x7fd25ebda000, 4096, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7fd25ebda000
mmap(0x7fd25ebdb000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7fd25ebdb000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 l\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=149520, ...}) = 0
mmap(NULL, 136304, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd25ebb5000
mmap(0x7fd25ebbb000, 65536, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7fd25ebbb000
mmap(0x7fd25ebcb000, 24576, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7fd25ebcb000
mmap(0x7fd25ebd1000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b000) = 0x7fd25ebd1000
mmap(0x7fd25ebd3000, 13424, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fd25ebd3000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@>\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1905632, ...}) = 0
mmap(NULL, 1918592, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd25e9e0000
mmap(0x7fd25ea02000, 1417216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x22000) = 0x7fd25ea02000
mmap(0x7fd25eb5c000, 323584, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17c000) = 0x7fd25eb5c000
mmap(0x7fd25ebab000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ca000) = 0x7fd25ebab000
mmap(0x7fd25ebb1000, 13952, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fd25ebb1000
close(3) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd25e9de000
arch_prctl(ARCH_SET_FS, 0x7fd25e9deb80) = 0
mprotect(0x7fd25ebab000, 16384, PROT_READ) = 0
mprotect(0x7fd25ebd1000, 4096, PROT_READ) = 0
mprotect(0x7fd25ebdb000, 4096, PROT_READ) = 0
mprotect(0x7fd25ebe7000, 4096, PROT_READ) = 0
mprotect(0x55a266c1c000, 4096, PROT_READ) = 0
mprotect(0x7fd25ec1d000, 4096, PROT_READ) = 0
munmap(0x7fd25ebeb000, 32282) = 0
set_tid_address(0x7fd25e9dee50) = 1259
set_robust_list(0x7fd25e9dee60, 24) = 0
rt_sigaction(SIGRTMIN, {sa_handler=0x7fd25ebbb690, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7fd25ebc8140}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=0x7fd25ebbb730, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fd25ebc8140}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
brk(NULL) = 0x55a268bd4000
brk(0x55a268bf5000) = 0x55a268bf5000
lstat("Shrek.avi", {st_mode=S_IFREG|0400, st_size=2302464000, ...}) = 0
openat(AT_FDCWD, "Shrek.avi", O_RDONLY|O_NONBLOCK|O_NOFOLLOW) = -1 EACCES (Permission denied)
write(2, "chattr", 6chattr) = 6
write(2, ": ", 2: ) = 2
write(2, "Permission denied", 17Permission denied) = 17
write(2, " ", 1 ) = 1
write(2, "while reading flags on Shrek.avi", 32while reading flags on Shrek.avi) = 32
ioctl(2, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(2, TCGETS, {B38400 opost isig icanon echo ...}) = 0
write(2, "\n", 1
) = 1
exit_group(1) = ?
+++ exited with 1 +++
我在 Proxmox 中将 Turnkey Core 17.1 作为 LXC 容器运行。文件系统是 ext4。我尝试修复这个问题已经两天了。有人能帮忙吗?
答案1
TL;DR:也许您的文件具有 Turnkey 容器所提供范围之外的权限。更改所有者在主机上为100000:100000,然后从容器中再次尝试。
解释:
你的容器可能无特权因此,您在容器中看到的 0÷65535 范围内的 UID/GID 被映射到主机中的 100000÷165535。这样做是为了让容器的任何用户在主机上都没有任何特权,例如,容器的根 (UID 0) 在主机上不是特定的任何人 (UID 100000),因此它不是真正的根,不会对系统造成太大危害。特别是,容器根可以控制 UID 为 100000 的文件,但对 UID 为 0 的文件没有任何权限。(我从未看过代码,但我相信 100000 控制 UID 为 100000÷165535 的文件所有者的能力是人为添加的。)
ext4将 ID 存储为 32 位整数,而不是其文件属性的用户名,并且它对内核的用户命名空间一无所知。您可以通过将其挂载到主机(在 PVE 中:)pct mount <CTID>并在那里复制文件,轻松地在容器的文件系统中创建所有者 UID 为 0 或 100 的文件。
您可能会注意到,主机的 UID 0 或 100 在容器中没有对应项可映射。如果此类文件出现在容器所呈现的文件系统视图的范围内(如我刚才所述),系统应该做什么?它的行为将与您观察到的完全一样:容器将看到该文件并允许根据文件的“其他”权限对其进行访问,甚至允许访问容器的根目录。
修复只能从“主机”系统进行,因为只有主机系统才能看到“真实”的 UID,并且对所有 UID(包括呈现给容器的 UID)拥有完全的权限。
答案2
检查文件
正在被另一个使用该命令的进程使用
lsof。位于使用
df命令支持扩展属性的文件系统上。已通过其他方式设置为不可变,例如通过 SELinux 策略或通过文件系统权限。
如果这些步骤都没有帮助,您可能需要查阅系统日志。