DAC_OVERRIDE is required to work properly #334
Comments
|
Is this relevant to this repo? |
|
Hi there, I'm still trying to provide a proof-of-concept. Just to verify my theory if my UIDMap starts at 16536 and I assign UID 2002 to my Docker container using the --user parameter, it will run as 16536 + 2002 and access files within a bind mount as 16536 + 2002? @AkihiroSuda |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Hi there! I am trying to upgrade the security of my docker-compose files by limiting capabilities. The problem I am facing is that many containers require DAC_OVERRIDE to work properly. I've tried to mitigate this by using SETUID/GID and CHOWN while setting the proper UID and GID in the docker-compose.yml. But whatever I try, I will always receive a "Permission denied". It works just fine without specifying any capability drops and when specifying the "drop all" while allowing DAC_OVERRIDE. <any containers will work properly: Navidrome, Audiobookshelf without any capabilities. But many require Postgres or MariaDB. And these two won't work without DAC_OVERRIDE, even when running it for the first time.
I'm scared about the damage DAC_OVERRIDE can cause.
Is there someone who is facing the same issue or might know a solution?
The text was updated successfully, but these errors were encountered: