Ineffective permissions in Linux containers

Question

When setting up and running a Docker instance, upon boot nginx gives a 403 Forbidden upon accessing static files.

In the Dockerfile, I use the COPY command to move all the files to /var/www/app, then I use the RUN command to chmod the static directory in order to enable the www-data user to read the files.

The Dockerfile looks like this:

...
COPY app /var/www/app
RUN chmod -R go+rX /var/www/app/static
...

Upon investigation (running bash interactively on the instance), I found that the www-data user cannot read the files or list the directories, unless the root user does it first. This is what I find really confusing - it's as if the listed permissions are completely ineffective until the root user looks over the files.

root@0e4b48a67a72:/# sudo -u www-data ls -la /var/www/app/static/js        
ls: cannot access /var/www/app/static/js: Permission denied
root@0e4b48a67a72:/# ls -la /var/www/app/static/js                  
total 100
drwxr-xr-x  2 root root  4096 Oct  9 02:40 .
drwxr-xr-x 10 root root  4096 Oct  9 02:40 ..
-rw-r--r--  1 root root 93868 Oct  6 13:39 jquery.js
root@0e4b48a67a72:/# sudo -u www-data ls -la /var/www/app/static/js
total 100
drwxr-xr-x  2 root root  4096 Oct  9 02:40 .
drwxr-xr-x 10 root root  4096 Oct  9 02:40 ..
-rw-r--r--  1 root root 93868 Oct  6 13:39 jquery.js

How can this be? Why does running ls cause the effective permissions to apparently change?

FYI, if I change the permissions prior to building the Docker image, the issue doesn't occur. — spble, Oct 09 '15 at 03:09

score 0 · Answer 1 · answered Oct 12 '15 at 02:34

0

Do you used ADD in that Dockerfile? Avoid ADD, because after that instruction all new files and directories are created with a UID and GID of 0.

https://docs.docker.com/reference/builder/#add

answered Oct 12 '15 at 02:34

Gomex

101
1

Ineffective permissions in Linux containers

1 Answers1