Docker windows containers file access permission issues

Question

Windows Server 2016 host, running Docker EE through the default MSFTdocker provider.

Docker version 17.06.2-ee-5, build 508bb92

docker-compose version 1.17.1, build 6d101fb0

I have a Windows container based on microsoft/windowsservercore:latest, and am attempting to setup an image for Bamboo server. During creation of a build plan, the server generates a cipher to communicate between Bamboo and Bitbucket. In the running container, the cipher folder/file generation fails with the following error:

java.nio.file.AccessDeniedException: C:\bamboo-home\xml-data\configuration\cipher\cipher.key_0

I have tried with the volume C:\bamboo-home both attached to my Windows host, and fully contained inside the container. Same error both times.

Windows containers run with an admininstrator account named 'containeradministrator'; this is the case both in the default image, and when using an entrypoint, as demonstrated below.

Standard image run:

PS C:\> docker run -it microsoft/windowsservercore:latest powershell
Windows PowerShell Copyright (C) 2016 Microsoft Corporation. All
rights reserved.

PS C:\> whoami 
user manager\containeradministrator

And on the custom-built image to test entrypoint:

PS C:\test> docker-compose build
Building testentrypoint
Step 1/2 : FROM microsoft/windowsservercore:latest
---> 2cddde20d95d
Step 2/2 : ENTRYPOINT whoami
---> Running in 7fe31f02e45f
---> 60822e1907f1
Removing intermediate container 7fe31f02e45f
Successfully built 60822e1907f1
Successfully tagged test/entrypoint:latest
PS C:\test> docker-compose up
Creating network "test_default" with the default driver
Creating test_testentrypoint_1 ...
Creating test_testentrypoint_1 ... done
Attaching to test_testentrypoint_1
testentrypoint_1 | user manager\containeradministrator
test_testentrypoint_1 exited with code 0

This user is an alias to Administrator from what I can tell, although interestingly it doesn't show up in net user as this name:

PS C:\> net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest
The command completed with one or more errors.

So this is potentially an issue, but regardless, the user has full admin permissions from what I can tell:

PS C:\> $user = [Security.Principal.WindowsIdentity]::GetCurrent()
PS C:\> $user

AuthenticationType : Negotiate
ImpersonationLevel : None
IsAuthenticated    : True
IsGuest            : False
IsSystem           : False
IsAnonymous        : False
Name               : User Manager\ContainerAdministrator
Owner              : S-1-5-93-2-1
User               : S-1-5-93-2-1
Groups             : {S-1-1-0, S-1-5-32-545, S-1-5-6, S-1-2-1...}
Token              : 3052
AccessToken        : Microsoft.Win32.SafeHandles.SafeAccessTokenHandle
UserClaims         : {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: User Manager\ContainerAdministrator, http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid: S-1-5-93-2-1, http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid:
                     S-1-1-0, http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-32-545...}
DeviceClaims       : {}
Claims             : {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: User Manager\ContainerAdministrator, http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid: S-1-5-93-2-1, http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid:
                     S-1-1-0, http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-32-545...}
Actor              :
BootstrapContext   :
Label              :
NameClaimType      : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
RoleClaimType      : http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid

PS C:\> (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
True

So I've tried the following:

Run a build step in the container that sets the folder permissions to "Everyone - Full Access"
Run the script manually in the running container at startup that does the same
Connect to the container when running, and manually run the powershell to do the same

Each time, before attempting to generate the cipher file, the permissions look like this:

PS C:\> Get-ACL C:\bamboo-home\xml-data\configuration\ | fl

Path   : Microsoft.PowerShell.Core\FileSystem::C:\bamboo-home\xml-data\configuration\
Owner  : User Manager\ContainerAdministrator
Group  : User Manager\ContainerAdministrator
Access : Everyone Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         S-1-5-21-2465844383-291681238-1546083700-500 Allow  FullControl
Audit  :
Sddl   : O:S-1-5-93-2-1G:S-1-5-93-2-1D:AI(A;OICIID;FA;;;WD)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;S-1-5-21-2465844383-291681238-1546083700-500)

And the above error occurs after attempting the generation, and the permissions change to:

PS C:\> Get-ACL C:\bamboo-home\xml-data\configuration\ | fl

Path   : Microsoft.PowerShell.Core\FileSystem::C:\bamboo-home\xml-data\configuration\
Owner  : User Manager\ContainerAdministrator
Group  : User Manager\ContainerAdministrator
Access : Everyone Allow  FullControl
Audit  :
Sddl   : O:S-1-5-93-2-1G:S-1-5-93-2-1D:AI(A;OICI;FA;;;WD)

Why does the default account (presumably an Administrator named containeradministrator) lose access to this directory when it seems to indicate it has ownership? And why can't it create the file (or folder, for that matter) in the first place, since in both cases, "Everyone" should have full access?

Can you reproduce the issue with nothing but Microsoft libraries. You keep speaking of `generation` process and changes to file system afterwards, which is external process and seems to be indicating here is curlpit for this behavior rather then container runtime. — Gregory Suvalian, Nov 15 '17 at 16:42
Hey Greg, definitely don't disagree. The issue is that the external process should (as part of "everyone") have access to this folder to read/write as it pleases, and it seems like the writing isn't working as designed. I don't know that there will be a great way to recreate this using Microsoft libraries only. — jski, Nov 15 '17 at 19:13
This process is modifying permissions, right? So what exactly are you asking? — Gregory Suvalian, Nov 15 '17 at 19:14
The file "cipher.key_0" that the process needs to create can't be created due to permissions issues in the folder. I want to know why it can't write to a folder under any circumstance I've tried inside this container. — jski, Nov 15 '17 at 19:25
But this permissions issues are caused by third party utility modifying permissions, right? Also check what `InheritanceFlags` is for Everyone after folder change, you have to do `fl *` for it — Gregory Suvalian, Nov 15 '17 at 19:28
So nothing comes back for (Get-ACL).Access for the /cipher folder itself. The folder it's created in, /configuration, has the following and doesn't change: `PS C:\> (Get-ACL C:\bamboo-home\xml-data\configuration\).Access` `FileSystemRights : FullControl` `AccessControlType : Allow` `IdentityReference : Everyone` `IsInherited : FalseInheritanceFlags : ContainerInherit, ObjectInherit` `PropagationFlags : None` So a new folder/file are created inside of there, with no access rules whatsoever, somehow. — jski, Nov 15 '17 at 19:46
What do you mean nothing comes back when you do Get-ACL on /cipher? — Gregory Suvalian, Nov 15 '17 at 23:23
The returned set is null, ie. nothing returned. Anyway, I found a solution to my issue (although still unclear on why it happened), so I will post as an answer. — jski, Nov 16 '17 at 13:34
Ownership doesn't imply _access permissions_. Ownership "merely" implies `WRITE_DAC`, which means the owner can overwrite the object's SD even without having explicit access to the object via the DACL. That's the reason why an admin needs to take ownership prior to resetting the SDs on an object. And in order to take ownership, any account need to exercise the respective NT right/privilege. But looking at `D:AI(A;OICI;FA;;;WD)` I would expect full access for "Everyone" indeed. — 0xC0000022L, Feb 28 '23 at 10:40

score 1 · Answer 1 · answered Nov 16 '17 at 13:41

I did not identify the issue between host/container permissions, but the way I brought up the container allowed the issue to happen. By changing my setup process, I was able to correct this.

Initial creation (that failed permissions on the created folder):

Create blank folder on host machine.
Link as volume with compose to container internal folder (all of C:\bamboo-home in this case). This is the folder that Bamboo will place all it's configuration/workspace stuff.
Setup product inside container, everything works except failure of the cipher folder. Didn't notice issue until this step.

New creation (that works properly):

Create blank folder on host machine.
Link as volume with compose to container internal folder (C:\empty, in this case). This does NOT link to C:\bamboo-home, which will be made internally in the running container as required.
Setup the product inside container. Once complete, copy all files from the container's folder to the new blank folder created. This way, the permissions are set in a consistent way inside the container itself, and the issues from before were mitigated.

Docker windows containers file access permission issues

1 Answers1