Skip to content

[debian] arbitrary --user throws permission errors #917

New issue
New issue
Closed
Closed
[debian] arbitrary --user throws permission errors#917
@tobwen

Description

@tobwen
tobwen
opened on Jan 2, 2022

tl;dr

I tried to run the example for arbitrary --user from the docs on the Debian-based container, but it threw several permission errors.

error

chmod: changing permissions of '/var/lib/postgresql/data': Operation not permitted
chmod: changing permissions of '/var/run/postgresql': Operation not permitted
The files belonging to this database system will be owned by user "www-data".
This user must also own the server process.

The database cluster will be initialized with locale "en_US.utf8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /var/lib/postgresql/data ... initdb: error: could not change permissions of directory "/var/lib/postgresql/data": Operation not permitted

steps to reproduce

See: https://github.com/docker-library/docs/blob/master/postgres/README.md#arbitrary---user-notes

# running as root
$ docker run -it --rm --user www-data -e POSTGRES_PASSWORD=mysecretpassword postgres:bullseye

# other example
$ docker run -it --rm --user www-data:www-data -v /etc/passwd:/etc/passwd:ro -e POSTGRES_PASSWORD=mysecretpassword postgres:bullseye
$ grep www-data /etc/passwd
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

environment

Docker version 20.10.12, build e91ed57 from Docker's repository for Debian Buster (AMD64)

analysis

Inside the container, there's already a $PGDATA directory, which belongs to user-id 999. Of course, an arbitrary user cannot run chmod or other stuff here, as stated in

postgres/14/bullseye/docker-entrypoint.sh

Line 41 in ab940cb

chmod 700 "$PGDATA" || : 

$ ls -n -a $PGDATA
total 8
drwxrwxrwx 2 999 999 4096 Dec 21 23:32 .
drwxr-xr-x 1 999 999 4096 Dec 21 23:32 ..

$ chmod 700 "$PGDATA" || :
chmod: changing permissions of '/var/lib/postgresql/data': Operation not permitted

possible fix

Add -e PGDATA=/tmp/pgdata or another directory, where the user is allowed to write OR fix permissions of current location in the image.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions