"setgroups" operation not permitted?
swquinn opened this issue · 5 comments
Hi, after installing su-exec on an Alpine-based image for Docker I tried running it and received the following output: su-exec: setgroups: Operation not permitted
Below is a simple Dockerfile and test showing what I'm seeing.
Dockerfile
FROM alpine
RUN apk update
RUN apk add --no-cache bash su-exec \
&& rm -rf /var/cache/apk/*
RUN addgroup -g 82 -S www-data \
&& adduser -u 82 -D -S -G www-data www-data
USER www-data
Command
# su-exec root /bin/bash
su-exec: setgroups: Operation not permitted
OK, so I think I just answered my own question. It looks like after installing su-exec it doesn't have the proper permissions to be able to execute under a different user. It looks like running chmod u+s /sbin/su-exec during the build gets everything working.
Sorry for wasting your time!
i don't think it is a good idea to chmod u+s it as it means that any user could run as root. The purpose of this tool is to drop root permissions, not to elevate permissions. Use sudo if you need elevate permissions.
Ah, interesting. OK. I guess I had misunderstood its usage when I read the example that used the command: su-exec root ...
Thanks for the clarification!
This issue should be closed since Dockerfile's USER directive is incompatible with su-exec.
This can be seen in the Best practices for building secure Docker images video. Without USER specified docker exec container_name ps will run ps as root (~6 minutes in), but when USER is specified everything starts running as this user (~8 minutes in).
What's your solution @hlovdal to this then: moby/moby#2259
Obviously this won't work: https://denibertovic.com/posts/handling-permissions-with-docker-volumes/
The incompatibility is also not mentioned here: https://github.com/ncopa/su-exec