0

Plenty of articles mentioned a non-root user's uid/gid could be modified after container launched.

I'm following this document from MS to create a develop user which keeps the same uid/gid as the host user.

groupmod and usermod works fine if the user is added at current container.

But I got werid permission denied issue after I commit this user(1000:1000) to an image. After adding this user I committed image centos-added. Then this user can't touch files under its home directory anymore. Even if I commit the image that modified uid/gid.

Reproduce steps are below. Appreciate any help

➜  ~ docker --version
Docker version 24.0.2, build cb74dfc
➜  ~ docker run -it -d centos bash
0396de453a444da42d824c2ba4a337859e167e1219b08512f8fa8cee63bfb12f
➜  ~ docker exec -it 0396 bash
[root@0396de453a44 /]# groupadd -g 1000 vscode
[root@0396de453a44 /]# useradd -u 1000 -g 1000 -m vscode
[root@0396de453a44 /]# exit
➜  ~ docker commit 0396 centos-added
sha256:cee9e18fafe454148890f6ccbc05bb438662cb8ea7161e60cc385f1c6b47d2bf
➜  ~ docker run -it -d centos-added bash
7f8bbe89542271c79d45da4ab82471bd32c213777076c760cbe3e7754019085a
➜  ~ docker exec -it 7f8 bash
[root@7f8bbe895422 /]# groupmod -g 1158 vscode
[root@7f8bbe895422 /]# usermod -g 1158 -u 1158 vscode
[root@7f8bbe895422 /]# chown -R 1158:1158 /home/vscode
[root@7f8bbe895422 /]# su vscode
[vscode@7f8bbe895422 /]$ cd
[vscode@7f8bbe895422 ~]$ touch aaa
touch: cannot touch 'aaa': Permission denied
[vscode@7f8bbe895422 ~]$ ls -lna
total 20
drwx------ 1 1158 1158 4096 Jun  2 05:34 .
drwxr-xr-x 1    0    0 4096 Jun  2 05:34 ..
-rw-r--r-- 1 1158 1158   18 Jan 12  2021 .bash_logout
-rw-r--r-- 1 1158 1158  141 Jan 12  2021 .bash_profile
-rw-r--r-- 1 1158 1158  376 Jan 12  2021 .bashrc

/etc/passwd and /etc/group after modifying uid/gid:

[root@7f8bbe895422 /]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
vscode:x:1158:1158::/home/vscode:/bin/bash
[root@7f8bbe895422 /]# cat /etc/group
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:
cdrom:x:11:
mail:x:12:
man:x:15:
dialout:x:18:
floppy:x:19:
games:x:20:
tape:x:33:
video:x:39:
ftp:x:50:
lock:x:54:
audio:x:63:
users:x:100:
nobody:x:65534:
dbus:x:81:
utmp:x:22:
utempter:x:35:
input:x:999:
kvm:x:36:
render:x:998:
systemd-journal:x:190:
systemd-coredump:x:997:
systemd-resolve:x:193:
vscode:x:1158:
[root@7f8bbe895422 /]#

edit 1:

Here's id result.

➜  ~ docker exec -it 7f8bb bash
[root@7f8bbe895422 /]# su vscode
[vscode@7f8bbe895422 /]$ id
uid=1158(vscode) gid=1158(vscode) groups=1158(vscode)
[vscode@7f8bbe895422 /]$ cd
[vscode@7f8bbe895422 ~]$ pwd
/home/vscode
[vscode@7f8bbe895422 ~]$ ls -lna
total 20
drwx------ 1 1158 1158 4096 Jun  2 05:34 .
drwxr-xr-x 1    0    0 4096 Jun  2 05:34 ..
-rw-r--r-- 1 1158 1158   18 Jan 12  2021 .bash_logout
-rw-r--r-- 1 1158 1158  141 Jan 12  2021 .bash_profile
-rw-r--r-- 1 1158 1158  376 Jan 12  2021 .bashrc
[vscode@7f8bbe895422 ~]$ touch aaa
touch: cannot touch 'aaa': Permission denied
[vscode@7f8bbe895422 ~]$
StephanXu
  • 49
  • 5
  • After `su vscode`, type in command `id` and paste result. – Philippe Jun 02 '23 at 08:08
  • @Philippe I've edited, it seems correct – StephanXu Jun 02 '23 at 08:23
  • Indeed strange. I ran all the commands but didn't get `Permission denied` error. I have same docker version as you and I'm on Ubuntu. – Philippe Jun 02 '23 at 10:49
  • A container normally runs a single process, and you can't change that process's uid after it starts. You shouldn't need normally need extensive use of `docker exec` as you show, and you should _never_ need `docker commit`. What is the actual main container process? Can you start the container with a `docker run -u $(id -u)` option? Does [What is the (best) way to manage permissions for Docker shared volumes?](https://stackoverflow.com/questions/23544282/what-is-the-best-way-to-manage-permissions-for-docker-shared-volumes) have useful advice for you? – David Maze Jun 02 '23 at 11:11
  • @DavidMaze I'm trying to simulate `useradd` and `usermod` in Dockerfile. Some tools require a exists non-root user in image (e.g. Dev Container in VSCode). – StephanXu Jun 02 '23 at 11:27
  • @Philippe I tried to reproduce this on ubuntu:bionic but it actually works fine. Is this a centos specific issue? – StephanXu Jun 02 '23 at 11:27

0 Answers0