/permset

Simple Go-based permission setter for containers running as non root users

Primary LanguageGoMIT LicenseMIT

permset

Simple Go-based permission setter for containers running as non root users

Usage

When this binary is called with setuid root permissions it will attempt to recursively change ownership of the directory specified at compile time to the user calling the binary. This is intended for docker containers that you want to run as a non root user but may need to ensure their data folder is owned by the user in the container

Example docker file

FROM golang:1.17-bullseye as permset
WORKDIR /src
RUN git clone https://github.com/jacobalberty/permset.git /src && \
    mkdir -p /out && \
    go build -ldflags "-X main.chownDir=/data" -o /out/permset

FROM debian:bullseye
COPY --from=permset /out/permset /usr/local/bin/permset
RUN chown 0.0 /usr/local/bin/permset && \
    chmod +s /usr/local/bin/permset  && \
    mkdir /data

USER nobody

if you build then run this container then /data will initially be owned by root. If you then call /usr/local/data/permset inside the container then /data will be owned by nobody

Security

chownDir MUST be an absolute path, not a relative one and any symbolic links in the path will be ignored.