UIDs/GIDs could be mis-matched from container and host
MrDonkey07 opened this issue · 2 comments
Due to auto-creation of UIDs and GIDs in the container, permissions could be incorrectly mapped when files are persisted on the host.
Consider this example:
Host has the following users and groups
| UID | Name |
|---|---|
| 1000 | root |
| 1001 | admin1 |
| 1002 | admin2 |
| 1003 | user1 |
| 1004 | user2 |
| GID | Name |
|---|---|
| 1000 | root |
| 1001 | admin_grp |
| 1002 | user_grp |
If this container is launched with a config specifying 2 users like this:
"Users": [
{
"Username": "user1",
"Password": "pass1"
},
{
"Username": "user2",
"Password": "pass2"
}
]
Then the container will contain the following groups:
| GID | Name |
|---|---|
| 1000 | sftp-user-inventory |
| 1001 | user1 |
| 1002 | user2 |
Files created by user1 in the container will be owned by admin1:admin_grp on the host.
Files created by user2 in the container will be owned by admin2:user_grp on the host.
Hi,
I'm not sure if this is really an issue that can be solved: If you use the sftp container with a volume mount and want the host to reflect those permissions, manual mapping is required of UID/GID is required. I don't think there's anything we can do to support this scenario automatically.
The intent of this project is to ensure security from within the container, not from outside access to the stored data (which is outside any control options that I can think of).
I'm going to close this issue as won't fix because there's no solution to it. If you can think of a way of making this work in a generic way (without compromising the security of the container), please reopen and we can evaluate together.
Hey, third perspective here but what you can do, is at runtime read the config for userid value, and when "creating" the users, set their ID to that value