macOS, containers, umask and mounted volumes

  • Docker engine: 20.10.13
  • macOS: 11.6.5

My container writes files to a mounted volume and I am relying on umask 0002. Files written inside the container filesystem are written with the correct permissions but those on external volumes do now have group write permission. Is this enforced by the docker engine?

For me /data is a mounted volume but if I do this from within the container…

umask 0002

touch /data/blob
touch /tmp/blob
ls -l /data/blob
ls -l /tmp/blob

I get…

-rw-r--r-- 1 502 dialout 0 Apr 21 10:18 /data/blob
-rw-rw-r-- 1 502 dialout 0 Apr 21 10:18 /tmp/blob

I can change the permissions of a file on the mounted file-system, i.e. this works, it sets the permissions of the file on the mounted volume that I need…

chmod g+w /data/blob

But umask appears to be ignored.

Q. Why does /data/blob have the wrong permissions and can this be fixed?

Hi Alan,

Did you find a solution for this?

I have the same issue on M1 Macbook Pro running MacOS 12.4 Monterey and Docker Desktop 4.11.1 (84025)

I suspect that allowing a container to dictacte umask for a host volume is security issue but not sure why then you can still chmod it