boxboat / fixuid Goto Github PK
View Code? Open in Web Editor NEWGo binary to change Docker container user/group and file permissions at runtime
License: MIT License
Go binary to change Docker container user/group and file permissions at runtime
License: MIT License
Presently, fixuid
prevents recursing into mounts by calling sys, ok := fileInfo.Sys().(*syscall.Stat_t)
and reading the device ID from sys.Dev
. If the Device ID of a current file or directory is different than the Device ID of the initially searched directory, the current file or directory is considered to be on a different mount and recursion into the mount is prevented.
I am now seeing a test failure on TravisCI, files are showing up with different Device IDs than their parent directories, even though the files and directories reside on the same mount:
https://travis-ci.org/boxboat/fixuid/builds/327907254
Logging output says that all of the directories in the /
mount are on Device ID 41
but all of the files in the /
mount are on Device ID 2049
I wondered if it was anything to do with the Storage Driver so I setup Overlay2 backed by EXT4 on my machine, and I could not recreate. At this point, I am not sure what environmental difference Travis CI has to cause this.
It seems that it would be more reliable to detect what mount a file is part of by parsing /proc/mounts
instead of relying on the Device ID in the inode
This is just cosmetic. There are two log messages (one for UID, one for GID) that present the ID with a leading (opening) single quote but no trailing (closing) single quote. I assume this is not intended.
logInfo("updating user '" + containerUser + "' to UID '" + runtimeUID)
logInfo("updating group '" + containerGroup + "' to GID '" + runtimeGID)
I'm trying to a extend this docker image that has a ENTRYPOINT
and CMD
:
USER 1000
ENTRYPOINT ["/dockerstartup/vnc_startup.sh"]
CMD ["--wait"]
I have tried a few different ways of overriding it:
First, no fixuid entrypoint, but then fixuid doesn't do anything.
# Use a debian-based VNC Server image as base
FROM consol/debian-xfce-vnc
# Switch to root user to install additional software
USER 0
ARG DEBIAN_FRONTEND=noninteractive
# Install required packages
RUN apt-get update && \
apt-get install -y curl sudo
# Create the user "vncuser" with ID 1000
RUN useradd -u 1000 -m -s /bin/bash vncuser
# Install fixuid
RUN curl -SsL https://github.com/boxboat/fixuid/releases/download/v0.5/fixuid-0.5-linux-amd64.tar.gz | tar -C /usr/local/bin -xzf - && \
chown root:root /usr/local/bin/fixuid && \
chmod 4755 /usr/local/bin/fixuid && \
mkdir -p /etc/fixuid && \
printf "user: vncuser\ngroup: vncuser\npath: /home/vncuser\n" > /etc/fixuid/config.yml
# Update and install Node.js
RUN curl -sL https://deb.nodesource.com/setup_lts.x | bash - && \
apt-get install -y nodejs
# Switch to the vncuser
USER 1000
# Install Playwright
RUN npm init -y && \
npm install playwright
I tried overriding the entrypoint by running fixuid as root, and the upstream entrypoint as the user 1000, but it didn't work:
# Switch back to root
USER 0
RUN echo "vncuser ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
ENTRYPOINT ["sh", "-c", "fixuid && sudo -u vncuser /dockerstartup/vnc_startup.sh --wait"]
fixuid: fixuid should only ever be used on development systems. DO NOT USE IN PRODUCTION
fixuid: runtime UID '1000' already matches container user 'vncuser' UID
fixuid: runtime GID '1000' already matches container group 'vncuser' GID
/dockerstartup/vnc_startup.sh: line 60: /chrome-init.sh: No such file or directory
And I tried a lot of other small things as well. What would be the correct way of handling this?
Hi! First, thanks for creating this eminently useful utility -- container bind mounts can be such a pain, and anything that makes dealing with mounts easier is most, most welcome.
I am hitting a fatal error when using fixuid
as the entrypoint for a container that's based on the ruby:2.4 image. Here's an overview of my environment:
$ docker version
Client:
Version: 17.12.0-ce
API version: 1.35
Go version: go1.9.2
Git commit: c97c6d6
Built: Wed Dec 27 20:10:14 2017
OS/Arch: linux/amd64
Server:
Engine:
Version: 17.12.0-ce
API version: 1.35 (minimum version 1.12)
Go version: go1.9.2
Git commit: c97c6d6
Built: Wed Dec 27 20:12:46 2017
OS/Arch: linux/amd64
Experimental: false
$ uname -a
Linux mydomain.com 3.10.0-693.11.1.el7.x86_64 #1 SMP Mon Dec 4 23:52:40 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
And here are the two Dockerfiles involved in the build:
FROM debian:jessie
ARG FIXUID_VERSION
ENV FIXUID_VERSION 0.2
ADD "https://github.com/boxboat/fixuid/releases/download/v${FIXUID_VERSION}/fixuid-${FIXUID_VERSION}-linux-amd64.tar.gz" /tmp/fixuid.tar.gz
RUN tar -C /usr/local/bin -xvf /tmp/fixuid.tar.gz \
&& rm -f /tmp/fixuid.tar.gz \
&& chmod u+sx /usr/local/bin/fixuid
ENTRYPOINT ["/usr/local/bin/fixuid"]
FROM custom/fixuid:custom AS fixuid
FROM ruby:2.4
COPY --from=fixuid /usr/local/bin/fixuid /usr/local/bin/fixuid
# More stuff below
When I try to run a container based off of an image built from the second Dockerfile, I get a stack trace:
$ docker run --rm -it -u 1002:100 custom/ruby:2.4 bash
fixuid: fixuid should only ever be used on development systems. DO NOT USE IN PRODUCT
fixuid: updating user 'auser' to UID '1002
fixuid: runtime GID '100' matches existing group 'agroup'; not changing GID
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x48 pc=0x522b30]
goroutine 1 [running]:
main.main.func1(0xc4201074c0, 0x18, 0x0, 0x0, 0x613600, 0xc420080ba0, 0x0, 0x0)
/home/caleb/go/src/github.com/boxboat/fixuid/fixuid.go:185 +0x60
path/filepath.walk(0xc420102515, 0x9, 0x614a80, 0xc42011c750, 0xc420016ba0, 0x0, 0x0)
/usr/local/go/src/path/filepath/path.go:377 +0x2eb
path/filepath.walk(0xc420015850, 0x4, 0x614a80, 0xc4200f2750, 0xc420016ba0, 0x0, 0x0)
/usr/local/go/src/path/filepath/path.go:381 +0x39a
path/filepath.walk(0x569e59, 0x1, 0x614a80, 0xc4200828f0, 0xc420016ba0, 0x0, 0x30)
/usr/local/go/src/path/filepath/path.go:381 +0x39a
path/filepath.Walk(0x569e59, 0x1, 0xc420016ba0, 0xc420082820, 0x0)
/usr/local/go/src/path/filepath/path.go:403 +0x11d
main.main()
/home/caleb/go/src/github.com/boxboat/fixuid/fixuid.go:215 +0x1349
This seems to result from the fact that fixuid
does not (explicitly) handle errors passed to the filepath.WalkFunc
by filepath.Walk
. I compiled a patched version of fixuid
with the following change:
// this function is called for every file visited
visit := func(filePath string, fileInfo os.FileInfo, err error) error {
// bail out on walk error
if err != nil {
logger.Fatalln(err)
}
When I rebuild the two Docker images using this patched fixuid
, I instead get the following error:
docker run --rm -it -u 1002:100 custom/ruby:2.4 bash
fixuid: fixuid should only ever be used on development systems. DO NOT USE IN PRODUCTION
fixuid: updating user 'auser' to UID '1002
fixuid: updating group 'agroup' to GID '1010
fixuid: lstat /etc/dpkg/shlibs.default: no such file or directory
And, indeed:
docker run --entrypoint '' --rm -it -u 1002:100 custom/ruby:2.4 ls -l /etc/dpkg
ls: cannot access /etc/dpkg/shlibs.default: No such file or directory
ls: cannot access /etc/dpkg/shlibs.override: No such file or directory
total 4
-rw-r--r-- 1 root root 446 Nov 28 2014 dpkg.cfg
drwxr-xr-x 2 root root 31 Dec 10 00:00 dpkg.cfg.d
drwxr-xr-x 2 root root 33 Dec 10 00:00 origins
?????????? ? ? ? ? ? shlibs.default
?????????? ? ? ? ? ? shlibs.override
I'm not quite sure what the deal is with the ruby:2.4
image (shlibs.default
and shlibs.override
have the same weird ls
output in both custom/ruby:2.4
and the upstream ruby:2.4
), but in any case it would be great if fixuid
could handle errors like missing files that nonetheless "show up" (?) when walking the filesystem hierarchy. I'm not a Gopher, but I'd be happy to submit a PR if I can get an idea of what fixuid
should do (log and bail out? blithely ignore?) in scenarios like the one I've described.
Thanks very much!
If the user is part of more groups than the dockergroup
(the group which fixuid changes), those groups do not get applied in the new user.
I have a problem with my current use of fixuid, in that the docker socket I'm binding from the host has a different gid than the internal docker group. Consequently, adding the internal user to the "docker" group has no effect.
It'd be awesome if internal group gids could be remapped to account for this by either:
docker run -dt -u 123:123 -e FIXGID_DOCKER=984 ...
...
groups:
docker: /var/run/docker.sock
fixuid can sometimes be rather slow, leaving the user wondering what's wrong, often they will then try to cancel out of the command. Can we have some sort of indicator to let the user know that permissions are being changed in the container?
in wsl2, if dockerfile has fixuid(which is tested ok in other ubuntu pc), it will shows the error:
standard_init_linux.go:228: exec user process caused: no such file or directory
could you help to check this ?
Hello,
I maintain application which uses Docker images for build and testing separation. It is invoking docker run
with --user
option to run with calling user UID and GID credentials. So far it looks like the fixuid
is a good fix for that. But it is also passing -e "USER=$($USER)"
on the docker run
, so inside container the echo "$USER"
and whoami
differs. (And then $HOME, of couse.) As I discovered that Fixuid does not rename the user, at least not out of the box, I wanted to ask, can Fixuid somehow do it? Or what would be the best place to hack it in? The fixuid
entrypoint?
Thanks.
Right now, fixuid
starts at the root of the filesystem /
and walks the directory tree. It does not recurse into mounts on other devices to avoid recursing into a host-mounted filesystem. There are 2 issues with this approach:
Searching every file/folder on the root filesystem can take a while, especially if there are a lot of files. Usually this isn't that big of an issue because we are dealing with Docker containers, which generally have minimal filesystems to start. Users should still be able to specify just the paths that they want searched to speed things up and avoid unnecessary recursion.
Sometimes users want fixuid
to run on mounts on different devices. For example, a Docker Volume at /home/docker/.cache
will show up as a mount on a different device from the root filesystem, but a user may still want fixuid
to run there.
The solution I am proposing is allowing the user to specify paths to search. This will be added through a new key in the /etc/fixuid/config.yml
file called paths
, which will be an array of strings.
user: docker
group: docker
paths:
- /home/docker
- /home/docker/.cache
If the paths
key is not defined, it will default to the same behavior as today:
paths:
- /
Volumes mounted on different devices that fixuid
should run on should always be listed in the paths
key, for example:
paths:
- /
- /home/docker/.cache
If you defined a docker
container user, which result in UID 1000 for instance,
and you run the container also with the UID 1000.
The fixuid
binary will say that UID matches and that it didn’t need to do anything (
Lines 141 to 142 in 543e124
Let’s say now that I also mounted a named volume to this container on /my-volume
and configured fixuid to fix that path in its config file.
Docker-compose will create the volume, sets the owership to root
and mount the volume to /my-volume
.
As the Go variable needChown
will stay with the false
value, the code near
Lines 187 to 199 in 543e124
/my-volume
will not be owned by user 1000
but by user root 0
.
How can this be circumvent?
I have created a user 1000 and a group 1000 in a Dockerfile. The Dockerfile is built and is ready to be downloaded.
If one host user with ID 1001 starts the Docker image, then the system data (/etc/passwd && /etc/group) must be adapted.
At the end, the files have to be changed by the user using chown.
This works fine for the user, but not for the group.
Dockerfile:
ENV APPLICATION_UID=1000 \
APPLICATION_USER=application \
APPLICATION_GID=1000 \
APPLICATION_GROUP=application
RUN curl -SsL https://github.com/boxboat/fixuid/releases/download/v0.5/fixuid-0.5-linux-amd64.tar.gz | tar -C /usr/local/bin -xzf - && \
chown root:root /usr/local/bin/fixuid && \
chmod 4755 /usr/local/bin/fixuid && \
mkdir -p /etc/fixuid && \
printf "user: ${APPLICATION_USER}\ngroup: ${APPLICATION_GROUP}\n" > /etc/fixuid/config.yml
printf "user: ${APPLICATION_USER}\ngroup: ${APPLICATION_GROUP}\npaths:\n - /home/${APPLICATION_USER}\n - /home/${APPLICATION_USER}/.composer/cache\n - /tmp\n" > /etc/fixuid/config.yml
Docker image start:
# APPLICATION_UID=1001
# APPLICATION_GID=1001
# Change user id from 1000 to 1001
if ! getent group ${APPLICATION_GID} >/dev/null 2>&1; then
groupmod -g ${APPLICATION_GID} application
fi
# Change group id from 1000 to 1001
if ! getent passwd ${APPLICATION_UID} >/dev/null 2>&1; then
usermod -u ${APPLICATION_UID} application
fi
# Fix uid
eval $( fixuid -q )
Hints:
$ cat /etc/fixuid/config.yml
user: application
group: application
paths:
- /home/application
- /home/application/.composer/cache
- /tmp
$ ls -l /home/application
drwxr-xr-x 1 application 1000 .
# drwxr-xr-x 1 root root .. (good)
-rw-r--r-- 1 application 1000 .bash_logout
-rw-r--r-- 1 application 1000 .bashrc
drwxr-xr-x 1 application 1000 .composer
#-rw-rw-r-- 1 application application .gitconfig (good: mounted from 1001)
drwxr-xr-x 1 application 1000 .oh-my-zsh
-rw-r--r-- 1 application 1000 .profile
-rw-r--r-- 1 application 1000 .shell-methods.sh
#drwx------ 2 application application .ssh (good: mounted from 1001)
-rw-r--r-- 1 application 1000 .vimrc
#-rw------- 1 application application .zsh_history (good: new created after login)
-rw-r--r-- 1 application 1000 .zshrc
$ id
uid=1001(application) gid=1001(application) groups=1001(application),27(sudo)
$ grep 'application' /etc/passwd
application:x:1001:1001::/home/application:/bin/bash
$ grep 'application' /etc/group
#sudo:x:27:application (good: not nessecary)
application:x:1001:
git clone https://github.com/Cyb10101/php-dev.git
cd php-dev
git checkout cyb-fixuid
printf "APPLICATION_UID=1001\nAPPLICATION_GID=1001" > .env
mkdir app
touch app/test.html
vim docker-compose.yml
docker network create global
docker-compose down --remove-orphans && docker-compose build && docker-compose up -d && docker-compose logs -f
# Wait after: web_1 | -> Executing /opt/docker/provision/entrypoint.d/00-cyb-set-user-and-group-id.sh
docker-compose exec web bash
ls -la /home/application
Add docker-compose.yml
:
version: '3.5'
services:
web:
build: .
user: ${APPLICATION_UID:-1000}:${APPLICATION_GID:-1000}
volumes:
- ./app:/app
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- APPLICATION_UID=${APPLICATION_UID:-1000}
- APPLICATION_GID=${APPLICATION_GID:-1000}
working_dir: /app
networks:
default:
external:
name: global
Currently I can use this tool successfully with "normal" files and directories. But symbolic links created with ln -s src dest
are not "fixed" although the user is correct on that link source.
First off: thank you for writing and publishing fixuid
— it solves a problem I've been having with development Docker containers for a while now!
I've been trying to use it for a development image I maintain, but I'm struggling with the startup time. The user I create in the Dockerfile has (unfortunately) many files in their home directory. This is mostly due to installing package managers (in this case, miniconda
) with a few default environments pre-packaged. As such, fixuid
takes ~9.5 minutes to do it's thing on the user's home directory (i.e., if the user's name is wally
, under /home/wally
).
I know from #31 that we can set paths
in the configuration to the specific paths that we'd like fixuid
to scan. That might work, but I think ultimately I would want to run fixuid
over the wally
user's working directory. In the vein of that issue's request for a progress bar, I was also wondering what considerations the library has about manually setting the number of max processes via https://github.com/boxboat/fixuid/blob/master/fixuid.go#L28. I can imagine that part of it is a security mitigation, since the script requires elevated permissions to run. Is part of the decision also related to the idempotency of the chown
command?
I've been meaning to build something in Rust for a while, and if adding support for multi-core/parallel processes is cumbersome, I'd be happy to give it a shot. Let me know!
I made fixdockergid to prove that #19 is a valid use case.
However, it would be so cool to have this functionality in fixuid
instead, so we would not have to deal with this twice. fixdockergid
depends on fixuid
being installed.
This problem happens when you mount the docker.sock
from the host machine on the container, and you try to access it using a non-root user. Then, the docker
group id on the host can mismatch with the docker
group id from the container, thus causing the non-root users to receive permission denied errors when trying to run docker commands. Microsoft solved it by using socat
: https://github.com/microsoft/vscode-dev-containers/tree/master/containers/docker-from-docker#enabling-non-root-access-to-docker-in-the-container
But I consider this approach much better, less intrusive, and less expensive.
My entrypoint is something like below. So how can I pass the user:group value to fixuid instead from docker-compose.yml or docker run ? Why I want like this because I am trying to get the user id from a mounted file in entrypoint script.
HOST_CURRENT_USER_ID=$(stat -c "%u" /var/www/.gitkeep)
if [ $HOST_CURRENT_USER_ID -ne 0 ]; then
eval $( fixuid user:group)
fi
Hello, it seems that when I mount a volume via the filesystem it properly sets perms, however when it is a named volume it doesn't. See below that /var/lib/whoosh is owned by 1000:1000 still
Thanks!
volumes:
- .:/usr/src/app
- core-woosh:/var/lib/whoosh
stdin_open: true
tty: true
volumes:
core-postgres-volume:
core-woosh:
appuser@555c1718485c:/var/lib$ ls -alh | grep whoosh
drwxr-xr-x. 2 1000 1000 6 Mar 15 17:53 whoosh
appuser@555c1718485c:~$ ls -alh | head -n 2
total 132K
drwxrwxr-x. 16 appuser appuser 4.0K Mar 15 17:58 .
I am unable to run fixuid with simple Dockerfile:
FROM alpine:latest
RUN addgroup -g 1000 docker && \
adduser -u 1000 -G docker -h /home/docker -s /bin/sh -D docker
RUN apk update && \
apk add ca-certificates wget && \
update-ca-certificates
RUN USER=docker && \
GROUP=docker && \
wget -qO- https://github.com/boxboat/fixuid/releases/download/v0.3/fixuid-0.3-linux-amd64.tar.gz | tar -C /usr/local/bin -xzf - && \
chown root:root /usr/local/bin/fixuid && \
chmod 4755 /usr/local/bin/fixuid && \
mkdir -p /etc/fixuid && \
printf "user: $USER\ngroup: $GROUP\n" > /etc/fixuid/config.yml
USER docker:docker
ENTRYPOINT ["fixuid"]
Result:
$ docker build -t test-fixuid .
$ docker run -it test-fixuid
fixuid: fixuid should only ever be used on development systems. DO NOT USE IN PRODUCTION
fixuid: fixuid must be owned by user 'root' and include the setuid bit 'chmod u+s /path/to/fixuid'
I checked it with $ docker run -it --entrypoint sh test-fixuid
and it looks good:
/ $ cd /usr/local/bin/
/usr/local/bin $ ls -al
total 3616
drwxr-xr-x 1 root root 12 Mar 17 23:13 .
drwxr-xr-x 1 root root 22 Jan 9 19:37 ..
-rwsr-xr-x 1 root root 3699694 Jan 15 16:08 fixuid
Am I doing something wrong?
Hi, im trying to implement this in a custom postgres image
FROM postgres:latest
RUN addgroup --gid 1000 docker && \
adduser --uid 1000 --ingroup docker --home /home/docker --shell /bin/sh --disabled-password --gecos "" docker
RUN USER=docker && GROUP=docker && \
apt-get update -y && \
apt-get install curl -y && \
apt-get clean -y && \
curl -SsL https://github.com/boxboat/fixuid/releases/download/v0.4/fixuid-0.4-linux-amd64.tar.gz | tar -C /usr/local/bin -xzf - && \
chown root:root /usr/local/bin/fixuid && \
chmod 4755 /usr/local/bin/fixuid && \
mkdir -p /etc/fixuid && \
printf "user: $USER\ngroup: $GROUP\n" > /etc/fixuid/config.yml
ENTRYPOINT ["fixuid"]
RUN localedef -i de_DE -c -f UTF-8 -A /usr/share/locale/locale.alias de_DE.UTF-8
ENV LANG de_DE.utf8
USER docker:docker
postgres:
build:
./pgsql
restart: always
container_name: postgres
user: "${PUID}:${PGID}"
hostname: pgsql-01
ports:
- 5432:5432
environment:
- POSTGRES_USER=${POSTGRES_USER}
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
- POSTGRES_DB=${POSTGRES_DB}
volumes:
- ./database/data:/var/lib/postgresql/data
- ./database/conf:/config
When I do docker-compose up docker-compose.yml it seems to just repeatedly execute fixuid but postgres never starts. This is just a wild guess, but maybe this fails because I override the entrypoint of the postgres image?
In the official docs for postgres docker I found that extending the image works by writing a simple Dockerfile like so:
FROM postgres:9.4
RUN localedef -i de_DE -c -f UTF-8 -A /usr/share/locale/locale.alias de_DE.UTF-8
ENV LANG de_DE.utf8
That works just fine.
Any interest in adding releases for these architectures? If not I guess I can just build them for myself.
Hello guys.
It looks like fixuid
is writing it's output into stderr
:
$ fixuid > /dev/null
fixuid: fixuid should only ever be used on development systems. DO NOT USE IN PRODUCTION
fixuid: updating user 'docker' to UID '1000
fixuid: updating group 'docker' to GID '1000
fixuid: recursively searching path /
fixuid: chown /home/docker
fixuid: chown /home/docker/.bash_logout
fixuid: chown /home/docker/.bashrc
fixuid: chown /home/docker/.profile
Can you add some parameter to make fixuid
run silently (like: --quiet
or -q
) ?
Thank you
Hi,
Thanks a lot for this great tool, which enabled me to remove some dirty hacks to chown/chmod files at run time.
I still have one issue as some files and folders inside my user home are not being chowned by fixuid.
I tried to add some more debug via logger.Println in the go script but I was unable to build it ;( (I'm not a Go expert)
Here is the relevant content of my Dockerfile:
`
RUN addgroup --gid 1000 site &&
adduser --uid 1000 --ingroup site --home /home/site --shell /bin/bash --disabled-password --gecos "" site &&
sed -i '$ a site ALL=(ALL:ALL) NOPASSWD: ALL' /etc/sudoers
RUN curl -s -o /home/site/.git-completion.bash https://raw.githubusercontent.com/git/git/master/contrib/completion/git-completion.bash &&
curl -s -o /home/site/.git-prompt.sh -OL https://github.com/git/git/raw/master/contrib/completion/git-prompt.sh &&
cp /etc/skel/.* /home/site/;
cat /tmp/profile/.bashrc_append >> /home/site/.bashrc &&
cat /tmp/profile/.vimrc_append >> /home/site/.vimrc &&
cp /tmp/profile/.gitconfig /home/site/ &&
mkdir -p /home/site/.composer &&
mkdir -p /home/site/.ssh &&
chown -R site:site /home/site/ &&
find /tmp/ -type f -name '.*' -maxdepth 1 -delete
USER site:site
CMD ["/run/bootstrap.sh"]
`
fixuid is executed in my bootstrap.sh script with:
eval $( fixuid )
User & group ids are specified in my compose.yml file:
user: ${DEV_UID:-1000}:${DEV_GID:-1000}
DEV_UID & DEV_GID are set in a .env file
At startup, fixuid chowns some files:
fixuid: updating user 'site' to UID '1001
fixuid: updating group 'site' to GID '1001
fixuid: chown /home
fixuid: chown /home/site
fixuid: chown /home/site/.bash_logout
fixuid: chown /home/site/.bashrc
fixuid: chown /home/site/.composer
fixuid: chown /home/site/.git-completion.bash
fixuid: chown /home/site/.git-prompt.sh
But, after entering the container, I still have some files/folder not being chowned in user home folder, with 1000:1000 perms:
-rw-r--r-- 1 site site 220 oct. 7 10:18 .bash_logout
-rw-r--r-- 1 site site 11K oct. 7 10:18 .bashrc
drwxr-xr-x 2 site site 6 oct. 7 10:18 .composer
-rw-r--r-- 1 site site 70K oct. 7 10:18 .git-completion.bash
-rwxrwxrwx 1 site site 342 mars 6 2017 .gitconfig
-rw-r--r-- 1 site site 16K oct. 7 10:18 .git-prompt.sh
-rw-r--r-- 1 1000 1000 675 oct. 7 10:18 .profile
drwxr-xr-x 2 1000 1000 6 oct. 7 10:18 .ssh
-rw-r--r-- 1 1000 1000 601 oct. 7 10:18 .vimrc
Any help would be appreciated.
Thanks
There are two users in docker container
We specify in docker file:
USER dockeralice:dockeralice
ENTRYPOINT ["fixuid"]
We add /etc/fixuid/config.yml
to container:
user: dockeralice
group: dockeralice
Now, when alice:alice (1000:1000) from host runs this image with -u 1000:1000
then everything is fine.
However, if bob:bob (1001:1001) from host runs this image with -u 1001:0001
, he will become a dockerbob inside container instead of dockeralice because his uid=1001 matched dockerbob's uid=1001.
Is there any way for bob to become a dockeralice inside container with such setup?
So, the problem is that in such case when host user UID accidentally clashes with UID inside container, both USER
from dockerfile and user
from /etc/fixuid/config.yml
are totally ignored.
TravisCI seems to have stopped running
Switch to Github Actions and automate the release process
I started getting error fixuid: permission denied
after I moved the working folder to another partition. It turns out I had that partition mounted with users
option which in the background adds these options: nosuid,nodev,noexec . nosuid
is of significance here as it prevents fixuid from working.
After I've removed the users
option from /etc/fstab and remounted, fixuid started working again.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.