Permissions are not set properly
vemonet opened this issue · comments
Installing ZSH in a Debian based docker container (jupyter/docker-stacks) with this scripts creates folder and files with wrong permissions.
In the Dockerfile
installing as root user:
RUN sh -c "$(wget -O- https://github.com/deluan/zsh-in-docker/releases/download/v1.1.1/zsh-in-docker.sh)" -- \
-t bira -p git
Then running /bin/zsh
as a non-root user:
[oh-my-zsh] Insecure completion-dependent directories detected:
drwsrwsr-x. 1 root users 4096 Aug 27 08:18 /home/jovyan/.oh-my-zsh
drwsrwsr-x. 1 root users 8192 Aug 27 08:18 /home/jovyan/.oh-my-zsh/plugins
drwsrwsr-x. 1 root users 45 Aug 27 08:18 /home/jovyan/.oh-my-zsh/plugins/git
[oh-my-zsh] For safety, we will not load completions from these directories until
[oh-my-zsh] you fix their permissions and ownership and restart zsh.
[oh-my-zsh] See the above list for directories with group or other writability.
[oh-my-zsh] To fix your permissions you can do so by disabling
[oh-my-zsh] the write permission of "group" and "others" and making sure that the
[oh-my-zsh] owner of these directories is either root or your current user.
[oh-my-zsh] The following command may help:
[oh-my-zsh] compaudit | xargs chmod g-w,o-w
[oh-my-zsh] If the above didn't help or you want to skip the verification of
[oh-my-zsh] insecure directories you can set the variable ZSH_DISABLE_COMPFIX to
[oh-my-zsh] "true" before oh-my-zsh is sourced in your zshrc file.
Unfortunately the given compaudit
command to fix the permissions cannot be run in the Dockerfile (it seems to work only when the ZSH shell is active, not available in bash, nor with /bin/zsh -c
)
There might be a oneliner chmod
to fix this, but I thought the goal of such a script was to avoid such basic issues with permissions
That's weird, this should work as you can see from the provided Dockerfile example. Did you change the active user to the non-root user before running zsh-in-docker? Like this:
...
USER jovyan
RUN sh -c "$(wget -O- https://github.com/deluan/zsh-in-docker/releases/download/v1.1.1/zsh-in-docker.sh)"
...
Here are the permissions created by the sample Dockerfile (I cleared my cache and rebuilt it):
vscode in ~ ➜ id
uid=1000(vscode) gid=1000(vscode) groups=1000(vscode)
vscode in ~ ➜ pwd
/home/vscode
vscode in ~ ➜ ls -la
total 92
drwxr-xr-x 1 vscode vscode 4096 Aug 27 13:00 .
drwxr-xr-x 1 root root 4096 Aug 27 12:55 ..
-rw-r--r-- 1 vscode vscode 220 Apr 18 2019 .bash_logout
-rw-r--r-- 1 vscode vscode 3526 Apr 18 2019 .bashrc
drwxr-xr-x 1 vscode vscode 4096 Aug 27 12:55 .oh-my-zsh
-rw-r--r-- 1 vscode vscode 807 Apr 18 2019 .profile
-rw-r--r-- 1 vscode vscode 48216 Aug 27 12:55 .zcompdump-2b9bc150e500-5.7.1
-rw------- 1 vscode vscode 285 Aug 27 13:00 .zsh_history
-rw-r--r-- 1 vscode vscode 557 Aug 27 12:55 .zshrc
Hi @deluan , thanks for the help
I am actually changing the user from jovyan to root, then installing ZSH, then changing back from root to jovyan
Maybe it could be related to this?
You can find the complete Dockerfile
here if you want more details: https://github.com/MaastrichtU-IDS/jupyterlab/blob/main/Dockerfile#L59
I will check more in details the permissions I am getting in the final image next time I work on this image and share it there
Sorry for the delay.
If you plan to use the Docker container with a non-root user, you need to call the script with that user. Just make sure to install the sudo
package OR to install git
and curl
packages (as root) before calling the script. See the sample Dockerfile for reference: https://github.com/deluan/zsh-in-docker/blob/master/Dockerfile
Hi @deluan , I tried a bit more to install ZSH in docker, in my case it is in a docker image from the jupyter/docker-stacks
a debian which comes with a few things already preinstalled such as sudo
And I am still getting error with your script:
Installing Oh-My-Zsh with:
THEME = bira
PLUGINS =
###### Installing dependencies for ubuntu
/usr/bin/sudo
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
The command '/bin/bash -o pipefail -c sh -c "$(wget -O- https://github.com/deluan/zsh-in-docker/releases/download/v1.1.1/zsh-in-docker.sh)" -- -t bira' returned a non-zero code: 1
Note that the sudo
installed on the jupyter/docker-stacks
image does not require a password normally, but there might be some weird stuff going on with sudo
. A lot of people/syadmins have not understood the principle behind containers, they are pissed by the fact containers run as root, and they are trying to "fix" the "issue" by adding useless users inside containers (instead of securing the layer between the host and the container), unfortunately they don't do it properly and they usually just make the whole thing more unstable, without really adding any security...
Anyway, if that can help someone, here's how I solved it: installing it myself, here an example with a custom ZSH theme. I just need to run chsh
as root user, the rest run as the user I will use:
RUN sh -c "$(curl -fsSL https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"
RUN wget -O ~/.oh-my-zsh/custom/themes/vemonet_bira.zsh-theme https://raw.githubusercontent.com/vemonet/zsh-theme-biradate/master/zsh/vemonet_bira.zsh-theme
RUN sed -i 's/robbyrussell/vemonet_bira/g' ~/.zshrc
ENV SHELL=/bin/zsh
USER root
RUN chsh -s /bin/zsh
USER $NB_USER