disk_host: open host mount path for unprivileged LXC bind-mounts

The fstab-only mount method explicitly says "for LXC bind-mounts" in
its dialog wording, but the mount point left behind by mkfs +
mkdir is owned root:root with mode 0755. An unprivileged LXC sees
the directory through its uid offset (root inside → host uid 100000)
which lands under the directory's "others" bits — so the container
can read but never write, and the user has to track down the
chmod / setfacl step manually.

lxc-mount-manager_minimal.sh already offers exactly this fix as
`lmm_offer_host_permissions` when the user adds the bind-mount
through that script, but the disk-side script never closed its half
of the loop. Add a small `_apply_lxc_bind_mount_perms` helper that
runs `chmod o+rwx` plus `setfacl o::rwx + default ACL` whenever
MODE_FSTAB=1, and call it from both `mount_disk_permanently`
(format path) and `mount_existing_disk` (use_existing path). Pure
pvesm-only mounts keep the original behaviour — chmod o+rwx on a
VM/backup storage isn't desirable.

Verified on .55 against the existing /mnt/disk-sda + LXC 112
(unprivileged): unprivileged container root could not write before
(Permission denied), writes succeed after the perms are applied and
land on the host as uid 100000 as expected.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

scripts/share/disk_host.sh

@@ -584,10 +584,38 @@ mount_disk_permanently() {
         msg_ok "$(translate "Added to /etc/fstab using device path")"
     fi
 
+    _apply_lxc_bind_mount_perms "$mount_path"
+
     systemctl daemon-reload 2>/dev/null || true
     return 0
 }
 
+# When the user opted into the host-fstab mount method, the whole
+# point of the mount is to bind-mount it into LXC containers. A fresh
+# ext4/xfs/btrfs filesystem (or a freshly-created /mnt/<id> directory)
+# is owned by root:root with mode 0755 — which an unprivileged LXC
+# sees as "others" (its root uid 0 maps to host uid 100000) and is
+# therefore read-only. lxc-mount-manager_minimal.sh offers the same
+# chmod o+rwx + default-ACL fix when the user adds the bind-mount
+# through that script, but most users don't realise they need to do
+# both steps. Apply the fix here so that "fstab only" really does
+# leave a directory ready to bind-mount from an unprivileged CT.
+# Privileged containers don't need this (root inside = root on host)
+# but the change is harmless: existing owners keep their access.
+_apply_lxc_bind_mount_perms() {
+    local mount_path="$1"
+    [[ "${MODE_FSTAB:-0}" -eq 1 ]] || return 0
+    [[ -d "$mount_path" ]] || return 0
+
+    msg_info "$(translate "Applying host permissions for unprivileged LXC bind-mounts...")"
+    chmod o+rwx "$mount_path" 2>/dev/null || true
+    if command -v setfacl >/dev/null 2>&1; then
+        setfacl -m o::rwx     "$mount_path" 2>/dev/null || true
+        setfacl -m d:o::rwx   "$mount_path" 2>/dev/null || true
+    fi
+    msg_ok "$(translate "Host permissions applied (o+rwx + default ACL) — unprivileged LXCs can read/write through bind-mounts")"
+}
+
 mount_existing_disk() {
     local disk="$1"
     local mount_path="$2"
@@ -621,6 +649,8 @@ mount_existing_disk() {
         msg_ok "$(translate "Added to /etc/fstab")"
     fi
 
+    _apply_lxc_bind_mount_perms "$mount_path"
+
     DISK_PARTITION="$disk"
     systemctl daemon-reload 2>/dev/null || true
     return 0