Skip to content

fix: handle UID 0 (root user) case in docker-entrypoint.sh#22

Merged
lroolle merged 8 commits intomainfrom
claude/issue-21-20250623_101208
Jun 23, 2025
Merged

fix: handle UID 0 (root user) case in docker-entrypoint.sh#22
lroolle merged 8 commits intomainfrom
claude/issue-21-20250623_101208

Conversation

@lroolle
Copy link
Copy Markdown
Member

@lroolle lroolle commented Jun 23, 2025
edited
Loading

Fixes ##21 - docker-entrypoint.sh fails when host user is root (UID 0)

Changes

  • Fixed security vulnerability: handle UID=0 and GID=0 independently
  • Prevent container user getting root group (GID=0) when host UID≠0 but GID=0
  • Use fallback UID/GID 1000 for both root user and root group cases
  • Remove inaccurate file ownership warning message
  • Fix Claude Code Review CI authentication (OIDC token → direct GitHub token)

Security Fix

Addresses Cursor BugBot report: nested GID=0 check allowed security bypass where container claude user could be assigned root group privileges.

Testing

  • Logic validated in code review
  • CI authentication fixed
  • Requires testing with actual root user (sudo claude-yolo)

Generated with Claude Code

@claude @lroolle
fix: handle UID 0 (root user) case in docker-entrypoint.sh
3134632 
- Detect when host user is root (CLAUDE_UID=0) 
- Use fallback UID 1000 to avoid conflict with existing root user
- Also handle CLAUDE_GID=0 case with same fallback
- Display clear warning messages about fallback behavior
- Preserves security by still running as non-root in container
- Fixes "usermod: UID '0' already exists" error

Resolves #21

Co-authored-by: Eric Wang <lroolle@users.noreply.github.com>
cursor[bot]
cursor bot reviewed Jun 23, 2025
View reviewed changes
Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Incorrect GID Fallback Causes Security Issues

The docker-entrypoint.sh script incorrectly nests the CLAUDE_GID=0 fallback logic within the CLAUDE_UID=0 check. This allows the container's claude user to be assigned GID=0 (root group) if the host user has GID=0 but a non-zero UID, creating a security risk and potentially causing "GID '0' already exists" errors. Furthermore, the warning message "files will be owned by root on host" is inaccurate; files created will be owned by UID 1000, not UID 0, when CLAUDE_UID is remapped.

docker-entrypoint.sh#L62-L71

https://github.com/lroolle/claude-code-yolo/blob/31346329e2a46a6dc6795cd534d6e468816333d1/docker-entrypoint.sh#L62-L71

Fix in Cursor

BugBot free trial expires on July 22, 2025
You have used $0.00 of your $10.00 spend limit so far. Manage your spend limit in the Cursor dashboard.

Was this report helpful? Give feedback by reacting with 👍 or 👎

lroolle and others added 7 commits June 23, 2025 04:34
@lroolle @claude
fix: handle UID=0 and GID=0 independently for security
e9e14e0 
- Separate UID=0 and GID=0 checks to prevent security bypass
- Fix case where host user has UID≠0 but GID=0 (would assign root group)
- Remove inaccurate warning message about file ownership
- Addresses Cursor BugBot security vulnerability report

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@lroolle @claude
fix: add explicit github_token to claude-code-review action
232b0ea 
- Add github_token parameter to prevent OIDC token exchange errors
- Fixes 401 Unauthorized - Invalid OIDC token error in claude-review CI
- Action was trying to use GitHub App auth instead of direct token auth

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@lroolle @claude
docs: add OIDC token fix to dev log
35db5ef 
🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@lroolle @claude
refactor: remove redundant comments in UID/GID handling
c0e985f 
- Remove obvious comments that don't add value
- Add missing dev log entry for root user handling fix

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@lroolle @claude
feat: dynamic fallback UID/GID selection for root users
21a2739 
- Replace hardcoded 1000 fallback with dynamic search
- Find first available UID/GID starting from 1000
- Prevents collision with existing container users/groups
- More robust handling of edge cases

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@lroolle @claude
simplify: revert to hardcoded 1000 fallback for root users
4dfc33d 
- Use UID/GID 1000 fallback for predictable file ownership
- Existing usermod logic handles UID collision properly
- Most host users are UID 1000, so this provides correct file ownership
- Simpler than dynamic search while achieving the goal

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@lroolle @claude
docs: clarify root cause and solution for UID 0 handling
088402f 
- Explain why UID 0 can't be reassigned (root user exists)
- Clarify security fix prevents root group assignment
- Note that 1000 fallback provides proper file ownership

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@lroolle lroolle merged commit 4caee3e into main Jun 23, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@cursor cursor[bot] cursor[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lroolle