setuid: Operation not permitted
gimler opened this issue · 7 comments
system: sles 12 sp5
ENV GOSU_VERSION 1.14
RUN curl -L -o /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-i386"; \
curl -L -o /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-i386.asc"; \
export GNUPGHOME="$(mktemp -d)"; \
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
# gpgconf --kill all; \
rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
chmod +x /usr/local/bin/gosu; \
gosu --version;
# touch file to solve
# cron: can't open or create /run/cron.pid: Permission denied
RUN touch /run/cron.pid; \
chown wwwrun /run/cron.pid
RUN ( \
echo '* * * * * date > /proc/1/fd/1 2>&1' \
) | crontab -u wwwrun -
CMD ["gosu", "wwwrun", "cron", "-n"]
Error:
setuid: Operation not permitted
How can i run the cron as wwwrun?
I'm really confused why you're doing chmod +s on your binary, especially if your goal is to run it as non-root? Adding the setuid bit to a binary is specifically for running a binary as root all the time.
Also, in your simplified example, gosu is overkill, and you just use USER instead:
...
USER wwwrun
CMD ["cron", "-n"]If you also run with --security-opt no-new-privileges then the setuid bit will cause an error instead of just silently running as root, which might be useful for you.
For more help, I'd suggest a dedicated support forum, such as the Docker Community Forums, the Docker Community Slack, or Stack Overflow.
@tianon i was try to keep the code snippet as small as possible, sorry i forgot a comment. the +s was only a try to solve the setuid problem.
# chmod u+s to solve
# setuid: Operation not permitted
i have remove this part.
we can not set the user with USER wwwrun because we have some init scripts that must be run on container start with root rights.
So the question is how can we fix the setuid: Operation not permitted error.