Docker /app/gitea/gitea web runs as wrong user

[karelvanhecke]

why does /app/gitea/gitea web run as a different user instead of git?
Default docker configuration, no changes have been made.

docker top ed60eb5133ed

UID PID PPID C STIME TTY TIME CMD
root 2914 2896 0 17:53 ? 00:00:00 /bin/s6-svscan /etc/s6
root 2947 2914 0 17:53 ? 00:00:00 s6-supervise gitea
root 2948 2914 0 17:53 ? 00:00:00 s6-supervise openssh
root 2949 2914 0 17:53 ? 00:00:00 s6-supervise syslogd
root 2950 2948 0 17:53 ? 00:00:00 /usr/sbin/sshd -D
karel 2951 2947 0 17:53 ? 00:00:00 /app/gitea/gitea web
root 2952 2949 0 17:53 ? 00:00:00 /sbin/syslogd -nS -O-

[sapk]

It run as git inside the docker that is git:x:1000:1000:Linux User,,,:/data/git:/bin/bash on the host the uid 1000 would map (generally) to the first user created.

To confirm you can do docker exec -ti ed60eb5133ed ps -ef | grep gitea

We could provide method to link the uid/git of git user inside the docker as the git user of the host at container start-up via ENV. This would need change to the start-up script.
The most simple way to do that could be to drop root privilege and run as a normal user. The docker run command provide arg ot map this normal user to host uid/git.

For reference/example, a used gitlab docker image choose to not do it : sameersbn/docker-gitlab#101 other build there own image of gogs with uid/gid of there host : https://gist.github.com/nrk/64e6d2fa17397204c5b232214c7fbd51

It's not really an issue but we could improve the method.

[HenrikBengtsson]

Just stumbled upon this problem myself and it took me a while to troubleshoot it (admitting I'm a Docker and Gitea rookie). However, I did figure out how to tweak master:docker/usr/bin/entrypoint as follows:

index a450d20..b374c5a 100755
--- a/docker/usr/bin/entrypoint
+++ b/docker/usr/bin/entrypoint
@@ -1,5 +1,16 @@
 #!/bin/sh
 
+## Change GID for USER?
+if [ -n "${USER_GID}" ] && [ "${USER_GID}" != "`id -g ${USER}`" ]; then
+    sed -i -e "s/^${USER}:\([^:]*\):[0-9]*/${USER}:\1:${USER_GID}/" /etc/group
+    sed -i -e "s/^${USER}:\([^:]*\):\([0-9]*\):[0-9]*/${USER}:\1:\2:${USER_GID}/" /etc/passwd
+fi
+
+## Change UID for USER?
+if [ -n "${USER_UID}" ] && [ "${USER_UID}" != "`id -u ${USER}`" ]; then
+    sed -i -e "s/^${USER}:\([^:]*\):[0-9]*:\([0-9]*\)/${USER}:\1:${USER_UID}:\2/" /etc/passwd
+fi
+
 for FOLDER in /data/gitea/conf /data/gitea/log /data/git /data/ssh; do
     mkdir -p ${FOLDER}
 done

After rebuilding:

$ make docker

I can launch Gitea with user git having any UID/GID of choice, e.g.

$ cid=$(docker run -d --name=gitea -p 10022:22 -p 10080:3000 -v /var/lib/gitea/data:/data -e USER_UID=1001 -e USER_GID=1002 gitea/gitea:latest); echo $cid
06fd8a8c95e6c659c2174819bafffa5e402b2e32f3385b58b221ba7191daad45
$ docker exec -i -t $cid id git
uid=1001(git) gid=1002(git) groups=1002(git),1002(git)
$ ls -ln /var/lib/gitea/data
total 12
drwxr-xr-x 3 1001 1002 4096 Oct 26 21:42 git
drwxr-xr-x 4 1001 1002 4096 Oct 26 21:42 gitea
drwx------ 2    0    0 4096 Oct 26 21:42 ssh

From @sapk's comment, I'm not sure whether this is something Gitea should support or not, but if so, I'm happy to submit a PR.

PS. I'm fairly new to Gitea and the Gitea community; sorry if I'm missing something obvious.

[sapk]

@HenrikBengtsson that a good solution that is use by other containers. In our case the best solution is to drop root privileges that are needed to start ssh server and use option -u of docker run.
In the meantime your solution is good and is a improvement. If you want make a PR.

[HenrikBengtsson]

Thanks for the clarification - I think I understand. In the meanwhile, PR #2791 sent.