Files owned by host ‘root’ (perms:644) show up as ‘nobody’ in container and can be deleted from container

New to LXD but kinda digging it.

Have an unprivileged container “c1” (Ubuntu server 22:04) running on Ubuntu 22:04. Added a host directory as device to container.

 lxc config device add c1 videos disk source=/mnt/mediashare/videos path=/mnt/videos

Mapped a host/container user (uid/gid = 1333) to be equal across host/container.
lxc config set c1 raw.idmap "both 1333 1333"
so container can read/write to host as uid 1333.

Files created on host as UID=1333 show up as UID=1333 in container, and vice versa, files created in container by UID=1333 show up as UID=1333 in host.

Files create as root or other users in container “c1” show up as uid:gid = 1000000:1000000 on host. So far so good.

However, files created by either other users (not 1333) or root (0) on host show up as nobody:nobody in the container (65534:65534), and can be deleted by either root or user 1333 in container.

Even though there are no critical OS files in the host share “/mnt/mediashare/videos”, this strikes me as a bit dangerous, particular for the root-owned files.

Can someone set me straight? Can the container honor the lack of write permissions on the host files? Or is it because the container is started by root it gains full power over host files?

Thanks in advance.

I’m going to answer this myself.

Turns out the owner of the directory (/mnt/mediashare/videos) on the host was 1333 and I forgot it was directory permissions that determines whether a file can be deleted or not, not the ‘rw’ on the file itself. Users within the container could not modify the file owned by root on the host, only delete. A bit of rookie mistake.

Hope this helps future users, cheers!