Skip to content

[debian] arbitrary --user throws permission errors #917

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tobwen opened this issue Jan 2, 2022 · 2 comments
Closed

[debian] arbitrary --user throws permission errors #917

tobwen opened this issue Jan 2, 2022 · 2 comments

Comments

@tobwen
Copy link
Contributor

tobwen commented Jan 2, 2022
edited
Loading

tl;dr

I tried to run the example for arbitrary --user from the docs on the Debian-based container, but it threw several permission errors.

error

chmod: changing permissions of '/var/lib/postgresql/data': Operation not permitted
chmod: changing permissions of '/var/run/postgresql': Operation not permitted
The files belonging to this database system will be owned by user "www-data".
This user must also own the server process.

The database cluster will be initialized with locale "en_US.utf8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /var/lib/postgresql/data ... initdb: error: could not change permissions of directory "/var/lib/postgresql/data": Operation not permitted

steps to reproduce

See: https://github.com/docker-library/docs/blob/master/postgres/README.md#arbitrary---user-notes

# running as root
$ docker run -it --rm --user www-data -e POSTGRES_PASSWORD=mysecretpassword postgres:bullseye

# other example
$ docker run -it --rm --user www-data:www-data -v /etc/passwd:/etc/passwd:ro -e POSTGRES_PASSWORD=mysecretpassword postgres:bullseye
$ grep www-data /etc/passwd
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

environment

Docker version 20.10.12, build e91ed57 from Docker's repository for Debian Buster (AMD64)

analysis

Inside the container, there's already a $PGDATA directory, which belongs to user-id 999. Of course, an arbitrary user cannot run chmod or other stuff here, as stated in

postgres/14/bullseye/docker-entrypoint.sh

Line 41 in ab940cb

chmod 700 "$PGDATA" || : 

$ ls -n -a $PGDATA
total 8
drwxrwxrwx 2 999 999 4096 Dec 21 23:32 .
drwxr-xr-x 1 999 999 4096 Dec 21 23:32 ..

$ chmod 700 "$PGDATA" || :
chmod: changing permissions of '/var/lib/postgresql/data': Operation not permitted

possible fix

Add -e PGDATA=/tmp/pgdata or another directory, where the user is allowed to write OR fix permissions of current location in the image.
@wglambert
Copy link

Yeah that error should be non-failing
#853 (comment)

@wglambert
Copy link

Closing since this seems resolved, if you need further help you could also try asking over at the Docker Community Forums, Docker Community Slack, or Stack Overflow

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tobwen @wglambert