boxboat / fixuid Goto Github PK

Presently, fixuid prevents recursing into mounts by calling sys, ok := fileInfo.Sys().(*syscall.Stat_t) and reading the device ID from sys.Dev. If the Device ID of a current file or directory is different than the Device ID of the initially searched directory, the current file or directory is considered to be on a different mount and recursion into the mount is prevented.

I am now seeing a test failure on TravisCI, files are showing up with different Device IDs than their parent directories, even though the files and directories reside on the same mount:
https://travis-ci.org/boxboat/fixuid/builds/327907254

Logging output says that all of the directories in the / mount are on Device ID 41 but all of the files in the / mount are on Device ID 2049

I wondered if it was anything to do with the Storage Driver so I setup Overlay2 backed by EXT4 on my machine, and I could not recreate. At this point, I am not sure what environmental difference Travis CI has to cause this.

It seems that it would be more reliable to detect what mount a file is part of by parsing /proc/mounts instead of relying on the Device ID in the inode

This is just cosmetic. There are two log messages (one for UID, one for GID) that present the ID with a leading (opening) single quote but no trailing (closing) single quote. I assume this is not intended.

logInfo("updating user '" + containerUser + "' to UID '" + runtimeUID)
logInfo("updating group '" + containerGroup + "' to GID '" + runtimeGID)

I'm trying to a extend this docker image that has a ENTRYPOINT and CMD:

USER 1000

ENTRYPOINT ["/dockerstartup/vnc_startup.sh"]
CMD ["--wait"]

I have tried a few different ways of overriding it:

First, no fixuid entrypoint, but then fixuid doesn't do anything.

# Use a debian-based VNC Server image as base
FROM consol/debian-xfce-vnc

# Switch to root user to install additional software
USER 0

ARG DEBIAN_FRONTEND=noninteractive

# Install required packages
RUN apt-get update && \
    apt-get install -y curl sudo

# Create the user "vncuser" with ID 1000
RUN useradd -u 1000 -m -s /bin/bash vncuser

# Install fixuid
RUN curl -SsL https://github.com/boxboat/fixuid/releases/download/v0.5/fixuid-0.5-linux-amd64.tar.gz | tar -C /usr/local/bin -xzf - && \
    chown root:root /usr/local/bin/fixuid && \
    chmod 4755 /usr/local/bin/fixuid && \
    mkdir -p /etc/fixuid && \
    printf "user: vncuser\ngroup: vncuser\npath: /home/vncuser\n" > /etc/fixuid/config.yml

# Update and install Node.js
RUN curl -sL https://deb.nodesource.com/setup_lts.x | bash - && \
    apt-get install -y nodejs
    
# Switch to the vncuser
USER 1000

# Install Playwright
RUN npm init -y && \
    npm install playwright

I tried overriding the entrypoint by running fixuid as root, and the upstream entrypoint as the user 1000, but it didn't work:

# Switch back to root
USER 0

RUN echo "vncuser ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers

ENTRYPOINT ["sh", "-c", "fixuid && sudo -u vncuser /dockerstartup/vnc_startup.sh --wait"]

fixuid: fixuid should only ever be used on development systems. DO NOT USE IN PRODUCTION
fixuid: runtime UID '1000' already matches container user 'vncuser' UID
fixuid: runtime GID '1000' already matches container group 'vncuser' GID
/dockerstartup/vnc_startup.sh: line 60: /chrome-init.sh: No such file or directory

And I tried a lot of other small things as well. What would be the correct way of handling this?

Hi! First, thanks for creating this eminently useful utility -- container bind mounts can be such a pain, and anything that makes dealing with mounts easier is most, most welcome.

I am hitting a fatal error when using fixuid as the entrypoint for a container that's based on the ruby:2.4 image. Here's an overview of my environment:

$ docker version
Client:
 Version:       17.12.0-ce
 API version:   1.35
 Go version:    go1.9.2
 Git commit:    c97c6d6
 Built: Wed Dec 27 20:10:14 2017
 OS/Arch:       linux/amd64

Server:
 Engine:
  Version:      17.12.0-ce
  API version:  1.35 (minimum version 1.12)
  Go version:   go1.9.2
  Git commit:   c97c6d6
  Built:        Wed Dec 27 20:12:46 2017
  OS/Arch:      linux/amd64
  Experimental: false
$ uname -a
Linux mydomain.com 3.10.0-693.11.1.el7.x86_64 #1 SMP Mon Dec 4 23:52:40 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

And here are the two Dockerfiles involved in the build:

FROM debian:jessie                                                                                                                         
                                                                                                                                           
ARG FIXUID_VERSION                                                                                                                         
ENV FIXUID_VERSION 0.2                                                                                                                     
                                                                                                                                           
ADD "https://github.com/boxboat/fixuid/releases/download/v${FIXUID_VERSION}/fixuid-${FIXUID_VERSION}-linux-amd64.tar.gz" /tmp/fixuid.tar.gz
                                                                                                                                           
RUN     tar -C /usr/local/bin -xvf /tmp/fixuid.tar.gz \                                                                                    
    &&  rm -f /tmp/fixuid.tar.gz \                                                                                                         
    &&  chmod u+sx /usr/local/bin/fixuid                                                                                                   
                                                                                                                                           
ENTRYPOINT ["/usr/local/bin/fixuid"]                                                                                                       

FROM custom/fixuid:custom AS fixuid                           
                                                              
FROM ruby:2.4                                                 
                                                                  
COPY --from=fixuid /usr/local/bin/fixuid /usr/local/bin/fixuid

# More stuff below

When I try to run a container based off of an image built from the second Dockerfile, I get a stack trace:

$ docker run --rm -it -u 1002:100 custom/ruby:2.4 bash
fixuid: fixuid should only ever be used on development systems. DO NOT USE IN PRODUCT
fixuid: updating user 'auser' to UID '1002                                         
fixuid: runtime GID '100' matches existing group 'agroup'; not changing GID           
panic: runtime error: invalid memory address or nil pointer dereference              
[signal SIGSEGV: segmentation violation code=0x1 addr=0x48 pc=0x522b30]              
                                                                                     
goroutine 1 [running]:                                                               
main.main.func1(0xc4201074c0, 0x18, 0x0, 0x0, 0x613600, 0xc420080ba0, 0x0, 0x0)      
        /home/caleb/go/src/github.com/boxboat/fixuid/fixuid.go:185 +0x60             
path/filepath.walk(0xc420102515, 0x9, 0x614a80, 0xc42011c750, 0xc420016ba0, 0x0, 0x0)
        /usr/local/go/src/path/filepath/path.go:377 +0x2eb                           
path/filepath.walk(0xc420015850, 0x4, 0x614a80, 0xc4200f2750, 0xc420016ba0, 0x0, 0x0)
        /usr/local/go/src/path/filepath/path.go:381 +0x39a                           
path/filepath.walk(0x569e59, 0x1, 0x614a80, 0xc4200828f0, 0xc420016ba0, 0x0, 0x30)   
        /usr/local/go/src/path/filepath/path.go:381 +0x39a                           
path/filepath.Walk(0x569e59, 0x1, 0xc420016ba0, 0xc420082820, 0x0)                   
        /usr/local/go/src/path/filepath/path.go:403 +0x11d                           
main.main()                                                                          
        /home/caleb/go/src/github.com/boxboat/fixuid/fixuid.go:215 +0x1349           

This seems to result from the fact that fixuid does not (explicitly) handle errors passed to the filepath.WalkFunc by filepath.Walk. I compiled a patched version of fixuid with the following change:

// this function is called for every file visited                      
visit := func(filePath string, fileInfo os.FileInfo, err error) error {
    // bail out on walk error
    if err != nil {                                                    
        logger.Fatalln(err)                                            
    }

When I rebuild the two Docker images using this patched fixuid, I instead get the following error:

docker run --rm -it -u 1002:100 custom/ruby:2.4 bash
fixuid: fixuid should only ever be used on development systems. DO NOT USE IN PRODUCTION
fixuid: updating user 'auser' to UID '1002
fixuid: updating group 'agroup' to GID '1010
fixuid: lstat /etc/dpkg/shlibs.default: no such file or directory

And, indeed:

docker run --entrypoint '' --rm -it -u 1002:100 custom/ruby:2.4 ls -l /etc/dpkg
ls: cannot access /etc/dpkg/shlibs.default: No such file or directory
ls: cannot access /etc/dpkg/shlibs.override: No such file or directory
total 4
-rw-r--r-- 1 root root 446 Nov 28  2014 dpkg.cfg
drwxr-xr-x 2 root root  31 Dec 10 00:00 dpkg.cfg.d
drwxr-xr-x 2 root root  33 Dec 10 00:00 origins
?????????? ? ?    ?      ?            ? shlibs.default
?????????? ? ?    ?      ?            ? shlibs.override

I'm not quite sure what the deal is with the ruby:2.4 image (shlibs.default and shlibs.override have the same weird ls output in both custom/ruby:2.4 and the upstream ruby:2.4), but in any case it would be great if fixuid could handle errors like missing files that nonetheless "show up" (?) when walking the filesystem hierarchy. I'm not a Gopher, but I'd be happy to submit a PR if I can get an idea of what fixuid should do (log and bail out? blithely ignore?) in scenarios like the one I've described.

Thanks very much!

If the user is part of more groups than the dockergroup (the group which fixuid changes), those groups do not get applied in the new user.

I have a problem with my current use of fixuid, in that the docker socket I'm binding from the host has a different gid than the internal docker group. Consequently, adding the internal user to the "docker" group has no effect.

It'd be awesome if internal group gids could be remapped to account for this by either:

• Specifying an environment variable:

docker run -dt -u 123:123 -e FIXGID_DOCKER=984 ...

• Testing specific paths defined in the config:

...
groups:
  docker: /var/run/docker.sock

fixuid can sometimes be rather slow, leaving the user wondering what's wrong, often they will then try to cancel out of the command. Can we have some sort of indicator to let the user know that permissions are being changed in the container?

in wsl2, if dockerfile has fixuid(which is tested ok in other ubuntu pc), it will shows the error:
standard_init_linux.go:228: exec user process caused: no such file or directory

could you help to check this ?

Hello,
I maintain application which uses Docker images for build and testing separation. It is invoking docker run with --user option to run with calling user UID and GID credentials. So far it looks like the fixuid is a good fix for that. But it is also passing -e "USER=$($USER)" on the docker run, so inside container the echo "$USER" and whoami differs. (And then $HOME, of couse.) As I discovered that Fixuid does not rename the user, at least not out of the box, I wanted to ask, can Fixuid somehow do it? Or what would be the best place to hack it in? The fixuid entrypoint?

Thanks.

Right now, fixuid starts at the root of the filesystem / and walks the directory tree. It does not recurse into mounts on other devices to avoid recursing into a host-mounted filesystem. There are 2 issues with this approach:

1. Searching every file/folder on the root filesystem can take a while, especially if there are a lot of files. Usually this isn't that big of an issue because we are dealing with Docker containers, which generally have minimal filesystems to start. Users should still be able to specify just the paths that they want searched to speed things up and avoid unnecessary recursion.

2. Sometimes users want fixuid to run on mounts on different devices. For example, a Docker Volume at /home/docker/.cache will show up as a mount on a different device from the root filesystem, but a user may still want fixuid to run there.

The solution I am proposing is allowing the user to specify paths to search. This will be added through a new key in the /etc/fixuid/config.yml file called paths, which will be an array of strings.

user: docker
group: docker
paths:
  - /home/docker
  - /home/docker/.cache

If the paths key is not defined, it will default to the same behavior as today:

paths:
  - /

Volumes mounted on different devices that fixuid should run on should always be listed in the paths key, for example:

paths:
  - /
  - /home/docker/.cache

If you defined a docker container user, which result in UID 1000 for instance,
and you run the container also with the UID 1000.

The fixuid binary will say that UID matches and that it didn’t need to do anything (

Let’s say now that I also mounted a named volume to this container on /my-volume and configured fixuid to fix that path in its config file.
Docker-compose will create the volume, sets the owership to root and mount the volume to /my-volume.

As the Go variable needChown will stay with the false value, the code near

How can this be circumvent?

I have created a user 1000 and a group 1000 in a Dockerfile. The Dockerfile is built and is ready to be downloaded.

If one host user with ID 1001 starts the Docker image, then the system data (/etc/passwd && /etc/group) must be adapted.

At the end, the files have to be changed by the user using chown.

This works fine for the user, but not for the group.

Dockerfile:

ENV APPLICATION_UID=1000 \
    APPLICATION_USER=application \
    APPLICATION_GID=1000 \
    APPLICATION_GROUP=application

RUN curl -SsL https://github.com/boxboat/fixuid/releases/download/v0.5/fixuid-0.5-linux-amd64.tar.gz | tar -C /usr/local/bin -xzf - && \
    chown root:root /usr/local/bin/fixuid && \
    chmod 4755 /usr/local/bin/fixuid && \
    mkdir -p /etc/fixuid && \
    printf "user: ${APPLICATION_USER}\ngroup: ${APPLICATION_GROUP}\n" > /etc/fixuid/config.yml
    printf "user: ${APPLICATION_USER}\ngroup: ${APPLICATION_GROUP}\npaths:\n - /home/${APPLICATION_USER}\n - /home/${APPLICATION_USER}/.composer/cache\n - /tmp\n" > /etc/fixuid/config.yml

Docker image start:

# APPLICATION_UID=1001
# APPLICATION_GID=1001

# Change user id from 1000 to 1001
if ! getent group ${APPLICATION_GID} >/dev/null 2>&1; then
    groupmod -g ${APPLICATION_GID} application
fi

# Change group id from 1000 to 1001
if ! getent passwd ${APPLICATION_UID} >/dev/null 2>&1; then
    usermod -u ${APPLICATION_UID} application
fi

# Fix uid
eval $( fixuid -q )

Hints:

$ cat /etc/fixuid/config.yml
user: application
group: application
paths:
 - /home/application
 - /home/application/.composer/cache
 - /tmp

$ ls -l /home/application
drwxr-xr-x 1 application        1000 .
# drwxr-xr-x 1 root        root        ..              (good)
-rw-r--r-- 1 application        1000 .bash_logout
-rw-r--r-- 1 application        1000 .bashrc
drwxr-xr-x 1 application        1000 .composer
#-rw-rw-r-- 1 application application .gitconfig       (good: mounted from 1001)
drwxr-xr-x 1 application        1000 .oh-my-zsh
-rw-r--r-- 1 application        1000 .profile
-rw-r--r-- 1 application        1000 .shell-methods.sh
#drwx------ 2 application application .ssh              (good: mounted from 1001)
-rw-r--r-- 1 application        1000 .vimrc
#-rw------- 1 application application .zsh_history      (good: new created after login)
-rw-r--r-- 1 application        1000 .zshrc

$ id
uid=1001(application) gid=1001(application) groups=1001(application),27(sudo)

$ grep 'application' /etc/passwd
application:x:1001:1001::/home/application:/bin/bash

$ grep 'application' /etc/group
#sudo:x:27:application (good: not nessecary)
application:x:1001:

Test it to reproduce (for example in a virtual machine):

git clone https://github.com/Cyb10101/php-dev.git
cd php-dev
git checkout cyb-fixuid

printf "APPLICATION_UID=1001\nAPPLICATION_GID=1001" > .env
mkdir app
touch app/test.html

vim docker-compose.yml
docker network create global
docker-compose down --remove-orphans && docker-compose build && docker-compose up -d && docker-compose logs -f
# Wait after: web_1   | -> Executing /opt/docker/provision/entrypoint.d/00-cyb-set-user-and-group-id.sh

docker-compose exec web bash
ls -la /home/application

Add docker-compose.yml:

version: '3.5'

services:
  web:
    build: .
    user: ${APPLICATION_UID:-1000}:${APPLICATION_GID:-1000}
    volumes:
      - ./app:/app
      - /var/run/docker.sock:/var/run/docker.sock:ro

    environment:
      - APPLICATION_UID=${APPLICATION_UID:-1000}
      - APPLICATION_GID=${APPLICATION_GID:-1000}
    working_dir: /app

networks:
  default:
    external:
      name: global

Currently I can use this tool successfully with "normal" files and directories. But symbolic links created with ln -s src dest are not "fixed" although the user is correct on that link source.

First off: thank you for writing and publishing fixuid — it solves a problem I've been having with development Docker containers for a while now!

I've been trying to use it for a development image I maintain, but I'm struggling with the startup time. The user I create in the Dockerfile has (unfortunately) many files in their home directory. This is mostly due to installing package managers (in this case, miniconda) with a few default environments pre-packaged. As such, fixuid takes ~9.5 minutes to do it's thing on the user's home directory (i.e., if the user's name is wally, under /home/wally).

I know from #31 that we can set paths in the configuration to the specific paths that we'd like fixuid to scan. That might work, but I think ultimately I would want to run fixuid over the wally user's working directory. In the vein of that issue's request for a progress bar, I was also wondering what considerations the library has about manually setting the number of max processes via https://github.com/boxboat/fixuid/blob/master/fixuid.go#L28. I can imagine that part of it is a security mitigation, since the script requires elevated permissions to run. Is part of the decision also related to the idempotency of the chown command?

I've been meaning to build something in Rust for a while, and if adding support for multi-core/parallel processes is cumbersome, I'd be happy to give it a shot. Let me know!

I made fixdockergid to prove that #19 is a valid use case.

However, it would be so cool to have this functionality in fixuid instead, so we would not have to deal with this twice. fixdockergid depends on fixuid being installed.

This problem happens when you mount the docker.sock from the host machine on the container, and you try to access it using a non-root user. Then, the docker group id on the host can mismatch with the docker group id from the container, thus causing the non-root users to receive permission denied errors when trying to run docker commands. Microsoft solved it by using socat: https://github.com/microsoft/vscode-dev-containers/tree/master/containers/docker-from-docker#enabling-non-root-access-to-docker-in-the-container

But I consider this approach much better, less intrusive, and less expensive.

My entrypoint is something like below. So how can I pass the user:group value to fixuid instead from docker-compose.yml or docker run ? Why I want like this because I am trying to get the user id from a mounted file in entrypoint script.

HOST_CURRENT_USER_ID=$(stat -c "%u" /var/www/.gitkeep)
if [ $HOST_CURRENT_USER_ID -ne 0 ]; then
eval $( fixuid user:group) 
fi

Hello, it seems that when I mount a volume via the filesystem it properly sets perms, however when it is a named volume it doesn't. See below that /var/lib/whoosh is owned by 1000:1000 still

Thanks!

    volumes:
      - .:/usr/src/app
      - core-woosh:/var/lib/whoosh
    stdin_open: true
    tty: true

volumes:
  core-postgres-volume:
  core-woosh:

appuser@555c1718485c:/var/lib$ ls -alh | grep whoosh
drwxr-xr-x.  2 1000 1000    6 Mar 15 17:53 whoosh

appuser@555c1718485c:~$ ls -alh | head -n 2
total 132K
drwxrwxr-x. 16 appuser appuser 4.0K Mar 15 17:58 .

I am unable to run fixuid with simple Dockerfile:

FROM alpine:latest

RUN addgroup -g 1000 docker && \
    adduser -u 1000 -G docker -h /home/docker -s /bin/sh -D docker

RUN apk update && \
    apk add ca-certificates wget && \
    update-ca-certificates

RUN USER=docker && \
    GROUP=docker && \
    wget -qO- https://github.com/boxboat/fixuid/releases/download/v0.3/fixuid-0.3-linux-amd64.tar.gz | tar -C /usr/local/bin -xzf - && \
    chown root:root /usr/local/bin/fixuid && \
    chmod 4755 /usr/local/bin/fixuid && \
    mkdir -p /etc/fixuid && \
    printf "user: $USER\ngroup: $GROUP\n" > /etc/fixuid/config.yml

USER docker:docker
ENTRYPOINT ["fixuid"]

Result:

$ docker build -t test-fixuid .
$ docker run -it test-fixuid
fixuid: fixuid should only ever be used on development systems. DO NOT USE IN PRODUCTION
fixuid: fixuid must be owned by user 'root' and include the setuid bit 'chmod u+s /path/to/fixuid'

I checked it with $ docker run -it --entrypoint sh test-fixuid and it looks good:

/ $ cd /usr/local/bin/
/usr/local/bin $ ls -al
total 3616
drwxr-xr-x    1 root     root            12 Mar 17 23:13 .
drwxr-xr-x    1 root     root            22 Jan  9 19:37 ..
-rwsr-xr-x    1 root     root       3699694 Jan 15 16:08 fixuid

Am I doing something wrong?

Hi, im trying to implement this in a custom postgres image

Dockerfile

FROM postgres:latest
RUN addgroup --gid 1000 docker && \
    adduser --uid 1000 --ingroup docker --home /home/docker --shell /bin/sh --disabled-password --gecos "" docker

RUN USER=docker && GROUP=docker && \
    apt-get update -y && \
    apt-get install curl -y && \
    apt-get clean -y && \
    curl -SsL https://github.com/boxboat/fixuid/releases/download/v0.4/fixuid-0.4-linux-amd64.tar.gz | tar -C /usr/local/bin -xzf - && \
    chown root:root /usr/local/bin/fixuid && \
    chmod 4755 /usr/local/bin/fixuid && \
    mkdir -p /etc/fixuid && \
    printf "user: $USER\ngroup: $GROUP\n" > /etc/fixuid/config.yml
ENTRYPOINT ["fixuid"]

RUN localedef -i de_DE -c -f UTF-8 -A /usr/share/locale/locale.alias de_DE.UTF-8
ENV LANG de_DE.utf8
USER docker:docker

docker-compose.yml

 postgres:
    build:
      ./pgsql
    restart: always
    container_name: postgres
    user: "${PUID}:${PGID}"
    hostname: pgsql-01
    ports:
      - 5432:5432
    environment:
      - POSTGRES_USER=${POSTGRES_USER}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
      - POSTGRES_DB=${POSTGRES_DB}
    volumes:
      - ./database/data:/var/lib/postgresql/data
      - ./database/conf:/config

When I do docker-compose up docker-compose.yml it seems to just repeatedly execute fixuid but postgres never starts. This is just a wild guess, but maybe this fails because I override the entrypoint of the postgres image?

In the official docs for postgres docker I found that extending the image works by writing a simple Dockerfile like so:

FROM postgres:9.4
RUN localedef -i de_DE -c -f UTF-8 -A /usr/share/locale/locale.alias de_DE.UTF-8
ENV LANG de_DE.utf8

That works just fine.

Any interest in adding releases for these architectures? If not I guess I can just build them for myself.

Hello guys.

It looks like fixuid is writing it's output into stderr:

$ fixuid > /dev/null
fixuid: fixuid should only ever be used on development systems. DO NOT USE IN PRODUCTION
fixuid: updating user 'docker' to UID '1000
fixuid: updating group 'docker' to GID '1000
fixuid: recursively searching path /
fixuid: chown /home/docker
fixuid: chown /home/docker/.bash_logout
fixuid: chown /home/docker/.bashrc
fixuid: chown /home/docker/.profile

Can you add some parameter to make fixuid run silently (like: --quiet or -q) ?

Thank you

Hi,
Thanks a lot for this great tool, which enabled me to remove some dirty hacks to chown/chmod files at run time.

I still have one issue as some files and folders inside my user home are not being chowned by fixuid.
I tried to add some more debug via logger.Println in the go script but I was unable to build it ;( (I'm not a Go expert)

Here is the relevant content of my Dockerfile:

`
RUN addgroup --gid 1000 site &&
adduser --uid 1000 --ingroup site --home /home/site --shell /bin/bash --disabled-password --gecos "" site &&
sed -i '$ a site ALL=(ALL:ALL) NOPASSWD: ALL' /etc/sudoers

RUN curl -s -o /home/site/.git-completion.bash https://raw.githubusercontent.com/git/git/master/contrib/completion/git-completion.bash &&
curl -s -o /home/site/.git-prompt.sh -OL https://github.com/git/git/raw/master/contrib/completion/git-prompt.sh &&
cp /etc/skel/.* /home/site/;
cat /tmp/profile/.bashrc_append >> /home/site/.bashrc &&
cat /tmp/profile/.vimrc_append >> /home/site/.vimrc &&
cp /tmp/profile/.gitconfig /home/site/ &&
mkdir -p /home/site/.composer &&
mkdir -p /home/site/.ssh &&
chown -R site:site /home/site/ &&
find /tmp/ -type f -name '.*' -maxdepth 1 -delete

USER site:site
CMD ["/run/bootstrap.sh"]
`

fixuid is executed in my bootstrap.sh script with:

eval $( fixuid )

User & group ids are specified in my compose.yml file:

user: ${DEV_UID:-1000}:${DEV_GID:-1000}

DEV_UID & DEV_GID are set in a .env file

At startup, fixuid chowns some files:

fixuid: updating user 'site' to UID '1001
fixuid: updating group 'site' to GID '1001
fixuid: chown /home
fixuid: chown /home/site
fixuid: chown /home/site/.bash_logout
fixuid: chown /home/site/.bashrc
fixuid: chown /home/site/.composer
fixuid: chown /home/site/.git-completion.bash
fixuid: chown /home/site/.git-prompt.sh

But, after entering the container, I still have some files/folder not being chowned in user home folder, with 1000:1000 perms:

-rw-r--r-- 1 site site 220 oct. 7 10:18 .bash_logout
-rw-r--r-- 1 site site 11K oct. 7 10:18 .bashrc
drwxr-xr-x 2 site site 6 oct. 7 10:18 .composer
-rw-r--r-- 1 site site 70K oct. 7 10:18 .git-completion.bash
-rwxrwxrwx 1 site site 342 mars 6 2017 .gitconfig
-rw-r--r-- 1 site site 16K oct. 7 10:18 .git-prompt.sh
-rw-r--r-- 1 1000 1000 675 oct. 7 10:18 .profile
drwxr-xr-x 2 1000 1000 6 oct. 7 10:18 .ssh
-rw-r--r-- 1 1000 1000 601 oct. 7 10:18 .vimrc

Any help would be appreciated.

Thanks

There are two users in docker container

1. dockeralice:dockeralice (1000:1000)
2. dockerbob:dockerbob (1001:1001)

We specify in docker file:

USER dockeralice:dockeralice
ENTRYPOINT ["fixuid"]

We add /etc/fixuid/config.yml to container:

user: dockeralice
group: dockeralice

Now, when alice:alice (1000:1000) from host runs this image with -u 1000:1000 then everything is fine.

However, if bob:bob (1001:1001) from host runs this image with -u 1001:0001, he will become a dockerbob inside container instead of dockeralice because his uid=1001 matched dockerbob's uid=1001.

Is there any way for bob to become a dockeralice inside container with such setup?

So, the problem is that in such case when host user UID accidentally clashes with UID inside container, both USER from dockerfile and user from /etc/fixuid/config.yml are totally ignored.

TravisCI seems to have stopped running

Switch to Github Actions and automate the release process

I started getting error fixuid: permission denied after I moved the working folder to another partition. It turns out I had that partition mounted with users option which in the background adds these options: nosuid,nodev,noexec . nosuid is of significance here as it prevents fixuid from working.

After I've removed the users option from /etc/fstab and remounted, fixuid started working again.