-
Notifications
You must be signed in to change notification settings - Fork 760
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add gid
and uid
to tmpfs
long-form mount options a la the current mode
support
#278
Comments
Ok so this is weird. Tried some extra experiments and got inconsistent results due to what appears to be a bug when using tmpfs in a bind mount: Test 1: Non-hidden folders mounted two ways:
Results:
Test 2: Hidden and non-hidden folders mounted two ways each
Results:
Test 3: Same as previous just doing the same thing again
ObservationsThis is interesting. It looks like the process works just fine on a fresh folder, but once the host OS has the folder the permissions get mangled. As a workaround, attempting to set the mode in the volume mount style fails because the engine doesn't yet have support for that option. e.g.:
Gives
|
Hi @kf6kjg 👋 Thank you for sharing this idea. Could you clarify what the concern is (if any) with using a permissive |
Nothing practical considering this is a container, just principles - assuming the permissions of the corresponding file or folder on the host don't get changed. When searching for solutions before I posted here I did run across someone who's company infosec department had a problem with it, but I'm having trouble finding that comment now. |
maybe we can simply go with assuming that it never works out well if we skip 1990's bastion host security advice? or, more specifically it's rarely a great thing to leave a world readable/writeable/executable directory around if you don't need one. but the first bit is the more generalized view and the one i'd try to adhere to more. |
I'm trying to use Docker Compose TMPFS mounts with a non-root user in a DevContainer setup. Since Docker automatically creates and mounts those as
root:root
this is currently not possible short of utilizing a VERY permissive mode of0777
.Like #176 added
mode
, this proposes addinggid
anduid
. At the very least, add support forgid
- since withgid
andmode
we can create a workable solution to the problem via setting the gid to the target user's group and setting a mode like0770
.Additional context:
With the following you should be able to launch and attempt to create a file in the tmpfs mount.
Example steps:
System info:
MacOS 12.4
Docker Desktop v4.12.0
The text was updated successfully, but these errors were encountered: