Permissions are not set properly

Question

Permissions are not set properly

vemonet opened this issue 3 years ago · comments

Installing ZSH in a Debian based docker container (jupyter/docker-stacks) with this scripts creates folder and files with wrong permissions.

In the Dockerfile installing as root user:

RUN sh -c "$(wget -O- https://github.com/deluan/zsh-in-docker/releases/download/v1.1.1/zsh-in-docker.sh)" -- \
    -t bira -p git

Then running /bin/zsh as a non-root user:

[oh-my-zsh] Insecure completion-dependent directories detected:
drwsrwsr-x. 1 root users 4096 Aug 27 08:18 /home/jovyan/.oh-my-zsh
drwsrwsr-x. 1 root users 8192 Aug 27 08:18 /home/jovyan/.oh-my-zsh/plugins
drwsrwsr-x. 1 root users   45 Aug 27 08:18 /home/jovyan/.oh-my-zsh/plugins/git

[oh-my-zsh] For safety, we will not load completions from these directories until
[oh-my-zsh] you fix their permissions and ownership and restart zsh.
[oh-my-zsh] See the above list for directories with group or other writability.

[oh-my-zsh] To fix your permissions you can do so by disabling
[oh-my-zsh] the write permission of "group" and "others" and making sure that the
[oh-my-zsh] owner of these directories is either root or your current user.
[oh-my-zsh] The following command may help:
[oh-my-zsh]     compaudit | xargs chmod g-w,o-w

[oh-my-zsh] If the above didn't help or you want to skip the verification of
[oh-my-zsh] insecure directories you can set the variable ZSH_DISABLE_COMPFIX to
[oh-my-zsh] "true" before oh-my-zsh is sourced in your zshrc file.

Unfortunately the given compaudit command to fix the permissions cannot be run in the Dockerfile (it seems to work only when the ZSH shell is active, not available in bash, nor with /bin/zsh -c)

There might be a oneliner chmod to fix this, but I thought the goal of such a script was to avoid such basic issues with permissions

Deluan Quintão · Answer 1 · Fri Aug 27 2021 21:04:08 GMT+0800 (China Standard Time)

That's weird, this should work as you can see from the provided Dockerfile example. Did you change the active user to the non-root user before running zsh-in-docker? Like this:

...
USER jovyan
RUN sh -c "$(wget -O- https://github.com/deluan/zsh-in-docker/releases/download/v1.1.1/zsh-in-docker.sh)"
...

Here are the permissions created by the sample Dockerfile (I cleared my cache and rebuilt it):

vscode in ~ ➜ id
uid=1000(vscode) gid=1000(vscode) groups=1000(vscode)
vscode in ~ ➜ pwd
/home/vscode
vscode in ~ ➜ ls -la
total 92
drwxr-xr-x 1 vscode vscode  4096 Aug 27 13:00 .
drwxr-xr-x 1 root   root    4096 Aug 27 12:55 ..
-rw-r--r-- 1 vscode vscode   220 Apr 18  2019 .bash_logout
-rw-r--r-- 1 vscode vscode  3526 Apr 18  2019 .bashrc
drwxr-xr-x 1 vscode vscode  4096 Aug 27 12:55 .oh-my-zsh
-rw-r--r-- 1 vscode vscode   807 Apr 18  2019 .profile
-rw-r--r-- 1 vscode vscode 48216 Aug 27 12:55 .zcompdump-2b9bc150e500-5.7.1
-rw------- 1 vscode vscode   285 Aug 27 13:00 .zsh_history
-rw-r--r-- 1 vscode vscode   557 Aug 27 12:55 .zshrc

Vincent Emonet · Answer 2 · Mon Aug 30 2021 20:47:52 GMT+0800 (China Standard Time)

Hi @deluan , thanks for the help

I am actually changing the user from jovyan to root, then installing ZSH, then changing back from root to jovyan

Maybe it could be related to this?

You can find the complete Dockerfile here if you want more details: https://github.com/MaastrichtU-IDS/jupyterlab/blob/main/Dockerfile#L59

I will check more in details the permissions I am getting in the final image next time I work on this image and share it there

Deluan Quintão · Answer 3 · Sat Sep 04 2021 05:22:26 GMT+0800 (China Standard Time)

Sorry for the delay.

If you plan to use the Docker container with a non-root user, you need to call the script with that user. Just make sure to install the sudo package OR to install git and curl packages (as root) before calling the script. See the sample Dockerfile for reference: https://github.com/deluan/zsh-in-docker/blob/master/Dockerfile

Vincent Emonet · Answer 4 · Tue Nov 02 2021 19:59:11 GMT+0800 (China Standard Time)

Hi @deluan , I tried a bit more to install ZSH in docker, in my case it is in a docker image from the jupyter/docker-stacks a debian which comes with a few things already preinstalled such as sudo

And I am still getting error with your script:

Installing Oh-My-Zsh with:
  THEME   = bira
  PLUGINS = 

###### Installing dependencies for ubuntu
/usr/bin/sudo
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
The command '/bin/bash -o pipefail -c sh -c "$(wget -O- https://github.com/deluan/zsh-in-docker/releases/download/v1.1.1/zsh-in-docker.sh)" --     -t bira' returned a non-zero code: 1

Note that the sudo installed on the jupyter/docker-stacks image does not require a password normally, but there might be some weird stuff going on with sudo. A lot of people/syadmins have not understood the principle behind containers, they are pissed by the fact containers run as root, and they are trying to "fix" the "issue" by adding useless users inside containers (instead of securing the layer between the host and the container), unfortunately they don't do it properly and they usually just make the whole thing more unstable, without really adding any security...

Anyway, if that can help someone, here's how I solved it: installing it myself, here an example with a custom ZSH theme. I just need to run chsh as root user, the rest run as the user I will use:

RUN sh -c "$(curl -fsSL https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"
RUN wget -O ~/.oh-my-zsh/custom/themes/vemonet_bira.zsh-theme https://raw.githubusercontent.com/vemonet/zsh-theme-biradate/master/zsh/vemonet_bira.zsh-theme
RUN sed -i 's/robbyrussell/vemonet_bira/g' ~/.zshrc
ENV SHELL=/bin/zsh
USER root
RUN chsh -s /bin/zsh 
USER $NB_USER