Pod's permissions in SCALE - root has all access to mount points

[emsicz]

I noticed something interesting - I installed SYNCTHING under APPS menu, the pod is successfully created and run. The wizard asks for syncthing user id, which I changed to a number that corresponds to user id of user syncthing which I created as truenas user. The wizard also asks for mount points. I mounted a (host) /pool/dataset to a (pod) /var/syncthing/dataset. The dataset has several ACLs defined. Root is owner of everything, various users have various levels of access. Syncthing has read access. I then launched pod's bash through TrueNAS UI and noticed I can create/modify/delete stuff in mounted path. Through whoami I found the shell runs as root and it occurred to me that because root in pod has uid of 0 (same as root in truenas), it probably operates under identical rights - hence in bash I can modify/delete data in mount points that I only intended to be read-only.

In TrueNAS Core, I can set mount points as read-only. In TrueNAS SCALE, I can't.

So 1) am I correct that this is quite risky to have pod having write/modify access to all of the data and 2) how do I go about to isolate the pod to really only have read-only access?

 

[HarryMuscle]

FYI, you can set mount points as read only in Scale also, at least via the Launch Docker Image button.

 

[emsicz]

FYI, you can set mount points as read only in Scale also, at least via the Launch Docker Image button.

Where do I check the "read only" checkbox here?

 

[HarryMuscle]

That looks like one of the catalog apps. What options you see are determined by the creator of the catalog entry. If you use the Launch Docker Image button to launch an app you get the option to make mount points read only. If you want to use the catalog app you'd have to ask the creator to add this option to the app options.