Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

s6-applyuidgid when downgrading to non-root user #1

Open
maxamel opened this issue Nov 18, 2024 · 4 comments
Open

s6-applyuidgid when downgrading to non-root user #1

maxamel opened this issue Nov 18, 2024 · 4 comments
Assignees
@lapnapra

Comments

@maxamel
Copy link

maxamel commented Nov 18, 2024

Hi, I have a dockerfile which tries downgrading to non-root user and results in this error:

s6-applyuidgid: fatal: unable to set supplementary group list: Operation not permitted

The dockerfile:

FROM woahbase/alpine-lua
WORKDIR /home/alpine
COPY . .
RUN apk add acl curl-dev gcc musl-dev make m4 libffi-dev openssl-dev bsd-compat-headers
RUN luarocks install milua && luarocks install redis-lua && luarocks install lunajson && luarocks install Lua-cURL
RUN chown -hR alpine /run && chown -hR alpine /var/log/ && chown -hR alpine /home/alpine && chown -hR alpine /etc/group
USER alpine
CMD [ "lua", "./src/app.lua" ]

Is there something I'm missing? I also tried creating my user and using the S6 env vars to override the default group/user but that didn't help, and I'd rather keep this simple with the existing alpine user.
@maxamel maxamel mentioned this issue Nov 18, 2024
Closed
@lapnapra lapnapra self-assigned this Dec 3, 2024
@lapnapra
Copy link
Contributor

lapnapra commented Dec 3, 2024

Hi, sorry for the late reply.

Have you tried without setting the user in Dockerfile? Because the error seems to be at the user-group-modification task where the PUID/PGID/extra-groups is updated. The USER alpine bit is redundant in this case, as the image (being a dev-image using the /usershell entrypoint by default) will drop the effective-UIDGID to be that of the ${S6_USER} anyway (which requires root).

@maxamel
Copy link
Author

maxamel commented Dec 6, 2024

I tried removing the USER directive. When I run this directly with docker build + docker run the user inside the container appears to be alpine. However, I am running my setup with docker compose. For setting the user correctly in a docker composed setup there are two options: either set the USER directive in the dockerfile or set the user directive in the docker compose file. Both options result in the error:
s6-applyuidgid: fatal: unable to set supplementary group list: Operation not permitted
Not setting any of those results in the user being root.

@lapnapra
Copy link
Contributor

lapnapra commented Dec 9, 2024

You could do one thing, switch the entrypoint back to /init and set the envvarS6_USER="" (empty quoted string) to disable the usermod-task and privilege-dropping completely.

@maxamel
Copy link
Author

maxamel commented Dec 13, 2024

Thank you, it appears it worked!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lapnapra lapnapra

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maxamel @lapnapra