Metaswitch/floki

Non-root users are not guaranteed a writable home directory

matthewtorr-msft opened this issue · 0 comments

matthewtorr-msft commented

If you set forward_user: true without any further configuration, the user inside the container has no name and its home is the root directory:

I have no name! [ /src ]$ ls -l | head -n 2
total 228
-rw-r--r-- 1 1000 1000 97758 Oct 24 11:26 CHANGELOG.md
I have no name! [ /src ]$ echo $HOME
/
I have no name! [ /src ]$ ls -ld $HOME
drwxr-xr-x 1 root root 4096 Oct 25 10:45 /

Because the user doesn't have write permissions for its $HOME, tools that try to create config or cache files or directories in $HOME do not work. For example, az-cli and docker.

I have no name! [ /src ]$ az login
Traceback (most recent call last):
  File "/usr/lib/python3.9/runpy.py", line 197, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/lib/python3.9/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/opt/python/venvs/azure-cli/lib/python3.9/site-packages/azure/cli/__main__.py", line 39, in <module>
    az_cli = get_default_cli()
  File "/opt/python/venvs/azure-cli/lib/python3.9/site-packages/azure/cli/core/__init__.py", line 895, in get_default_cli
    from azure.cli.core.azlogging import AzCliLogging
  File "/opt/python/venvs/azure-cli/lib/python3.9/site-packages/azure/cli/core/azlogging.py", line 30, in <module>
    from azure.cli.core.commands.events import EVENT_INVOKER_PRE_CMD_TBL_TRUNCATE
  File "/opt/python/venvs/azure-cli/lib/python3.9/site-packages/azure/cli/core/commands/__init__.py", line 25, in <module>
    from azure.cli.core.extension import get_extension
  File "/opt/python/venvs/azure-cli/lib/python3.9/site-packages/azure/cli/core/extension/__init__.py", line 18, in <module>
    az_config = CLIConfig(config_dir=GLOBAL_CONFIG_DIR, config_env_var_prefix=ENV_VAR_PREFIX)
  File "/opt/python/venvs/azure-cli/lib/python3.9/site-packages/knack/config.py", line 40, in __init__
    ensure_dir(config_dir)
  File "/opt/python/venvs/azure-cli/lib/python3.9/site-packages/knack/util.py", line 115, in ensure_dir
    raise e
  File "/opt/python/venvs/azure-cli/lib/python3.9/site-packages/knack/util.py", line 112, in ensure_dir
    os.makedirs(d)
  File "/usr/lib/python3.9/os.py", line 225, in makedirs
    mkdir(name, mode)
PermissionError: [Errno 13] Permission denied: '/.azure'

It's possible to work around this as follows, but it's hacky. It would be nice if floki guaranteed you a writable home directory.

docker_switches:
  - -e
  - HOME=/tmp/home
forward_user: true
init:
  - mkdir $HOME