Skip to content

Container user's uid/gid cannot be changed #25410

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
lonix1 opened this issue Jun 21, 2023 · 2 comments
Closed

Container user's uid/gid cannot be changed #25410

lonix1 opened this issue Jun 21, 2023 · 2 comments
Labels
type/bug

Comments

@lonix1
Copy link
Contributor

lonix1 commented Jun 21, 2023
edited
Loading

Description

I followed the docs for an ssh shim passthrough.

The docs say the host and container users must have the same uid/gid. Since my host user gitea has uid/gid of 500, I set that in my docker-compose.yml:

services:
  gitea:
    # ...
    volumes:
      - /home/gitea/.ssh/:/data/git/.ssh/
      - gitea:/data/
    environment:
      - USER_UID=500
      - USER_GID=500

volumes:
  gitea:

The mapped .ssh directory has this (where gitea is 500:500 as above):

-rw------- 1 gitea gitea 825 Jun 21 06:40 authorized_keys

When I try to add an ssh key in the website, it shows an internal server error (500), and the logs show this:

2023/06/21 06:43:58 ...s/asymkey/ssh_key.go:86:addKey() [I] [SQL] INSERT INTO `public_key` (`owner_id`,`name`,`fingerprint`,`content`,`mode`,`type`,`login_source_id`,`created_unix`,`updated_unix`,`verified`) VALUES (?,?,?,?,?,?,?,?,?,?) [1 main SHA256:............redacted....................] - 156.153µs
2023/06/21 06:43:58 .../web/wrap_convert.go:46:func3() [I] [SQL] ROLLBACK [] - 59.49µs
2023/06/21 06:43:58 ...user/setting/keys.go:188:KeysPost() [E] AddPublicKey: addKey: open /data/git/.ssh/authorized_keys: permission denied

So the container's git user cannot access /data/git/.ssh/authorized_keys.

So I ran docker exec into the container, and ran $ id git, which gives:

uid=1000(git) gid=1000(git) groups=1000(git),1000(git)

So the container still uses the default uid/gid of 1000 instead of my 500 override. That's why it can't access the file.

Is this a bug?

Gitea Version

1.19.3

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

2.39.2

Operating System

debian

How are you running Gitea?

docker

Database

SQLite
@lonix1
Copy link
Contributor Author

lonix1 commented Jun 21, 2023
edited
Loading

UPDATE: problem found! 😄

The /data/git/.ssh/ directory and /data/git/.ssh/authorized_keys file must both have mode 1000:1000.

So:

  1. The error is misleading because it says AddPublicKey: addKey: open /data/git/.ssh/authorized_keys: permission denied and that sent me on a wild goose chase... it should say something like AddPublicKey: addKey: open /data/git/.ssh/: permission denied when the directory itself is inaccessible
  2. MORE IMPORTANT: the docs say that the git user on the host and container must have matching uid/gid but this isn't true. The directories and files on the host must have mode 1000:1000 regardless of the uid/gid of the host git user.

There are many related issues for this underlying problem, and people report "fixing it" by changing mode/permissions without really understanding what happens (and possibly weakening their securiy). So this is a widespread issue.

@lonix1
Copy link
Contributor Author

lonix1 commented Jun 23, 2023

Closing in favour of #23632.

@lonix1 lonix1 closed this as completed Jun 23, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 8, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lonix1