Unwritable JOHN_HOME causing permission problems in Docker/OCI container

[Doctor-love]

Checklist

• 🥇 I've read and understood these instructions;
• 👍 I've tested using latest bleeding package version from this repository.
• 😕 I'm confused and I need guidance.

Problem description

JtR fails to execute cracking in Docker/container image due permission problems:

$ docker run --rm --volume "${PWD}:/data" ghcr.io/openwall/john:rolling_J31 best --wordlist=/data/wordlist.txt /data/shadow.bak

best --wordlist=/data/wordlist.txt /data/shadow.bak
Will use /john/run/john-avx512bw
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Warning: only loading hashes of type "md5crypt", but also saw type "sha256crypt"
Use the "--format=sha256crypt" option to force loading hashes of that type instead
Warning: only loading hashes of type "md5crypt", but also saw type "sha512crypt"
Use the "--format=sha512crypt" option to force loading hashes of that type instead
Using default input encoding: UTF-8
open: /john/run/john.log: Permission denied

JOHN_HOME seems to be "/john/run". The default container user "JtR" (UID 1000) does not have write permission to this directory, causing execution to fail.

Build info

$ docker run --rm ghcr.io/openwall/john:rolling_J31 best --list=build-info

best --list=build-info
Will use /john/run/john-avx512bw
Version: 1.9.0-jumbo-1+bleeding-15b3b7c 2023-04-03 12:44:54 -0300
Build: linux-gnu 64-bit x86_64 AVX512BW AC OMP
SIMD: AVX512BW, interleaving: MD4:3 MD5:3 SHA1:1 SHA256:1 SHA512:1
CPU tests: AVX512BW
$JOHN is /john/run/
Format interface version: 14
Max. number of reported tunable costs: 4
Rec file version: REC4
Charset file version: CHR3
CHARSET_MIN: 1 (0x01)
CHARSET_MAX: 255 (0xff)
CHARSET_LENGTH: 24
SALT_HASH_SIZE: 1048576
SINGLE_IDX_MAX: 32768
SINGLE_BUF_MAX: 4294967295
Effective limit: Max. KPC 32768
Max. Markov mode level: 400
Max. Markov mode password length: 30
gcc version: 11.3.0
GNU libc version: 2.35 (loaded: 2.35)
Crypto library: OpenSSL
OpenSSL library version: 030000020
OpenSSL 3.0.2 15 Mar 2022
GMP library version: 6.2.1
File locking: fcntl()
fseek(): fseek
ftell(): ftell
fopen(): fopen
memmem(): System's
times(2) sysconf(_SC_CLK_TCK) is 100
Using times(2) for timers, resolution 10 ms
HR timer: clock_gettime(), latency 33 ns
Total physical host memory: 3827 MiB
Available physical host memory: 2583 MiB
Terminal locale string: C
Parsed terminal locale: UNDEF

$ docker image inspect ghcr.io/openwall/john:rolling_J31 | grep -F Id | tr -d ' '
"Id":"sha256:23d9759026815b746fcd2295314ec609920c99223ee73bc78ab92aede6249b1a",

[claudioandre-br]

Thank you for reporting. We will fix it.

As a workaround, please add the --user=root as seen below.

$ docker run --rm --user=root --volume "${PWD}:/data" ghcr.io/openwall/john best --wordlist=/data/wordlist /data/alltests.in
best --wordlist=/data/wordlist /data/alltests.in
Sorry, AVX512BW is required for this build
Sorry, AVX512F is required for this build
Will use /john/run/john-avx2
Warning: only loading hashes of type "descrypt", but also saw type "bsdicrypt"
Use the "--format=bsdicrypt" option to force loading hashes of that type instead
[...]
Using default input encoding: UTF-8
Loaded 7 password hashes with 5 different salts (1.4x same-salt boost) (descrypt, traditional crypt(3) [DES 256/256 AVX2])
Will run 8 OpenMP threads
Press Ctrl-C to abort, or send SIGUSR1 to john process for status
U*U***U*         (?)     
U*U***U          (?)     
U*U*U*U*         (?)     
                 (?)     
*U*U*U*U         (?)     
5g 0:00:00:00 DONE (2023-04-04 13:50) 125.0g/s 121375p/s 606875c/s 849625C/s -list=fo
Warning: passwords printed above might not be all those cracked
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

[claudioandre-br]

Thinking out loud.

In this case, I would like to have a 'private home' in a non 'system wide build'.

But, a system-wide build allows me to add the --volume "${PWD}:/home/JtR/.john" option which allows me to use and save .pot and .log in the host system. And that would be interesting.