We found an issue that occurs when running a Debian buster or Ubuntu disco image on an Ubuntu 16.04 host. If sed
is run inside the container to modify a file, that file can no longer be read by non-root users, even though the permissions on it haven’t changed.
To reproduce the issue, run the following command:
docker run -it --rm --entrypoint bash debian:buster -c 'addgroup --system --gid 101 user \
&& adduser --system --disabled-login --ingroup user --no-create-home --home /nonexistent --gecos "user user" --shell /bin/false --uid 101 user \
&& sed -i "s/bash/bash/" /etc/bash.bashrc \
&& su -s /bin/bash -c "id;stat /etc/bash.bashrc;head -n1 /etc/bash.bashrc" user'
The last line of the output should be
# System-wide .bashrc file for interactive bash(1) shells.
but if the issue occurs, it will be
head: cannot open '/etc/bash.bashrc' for reading: Permission denied
This impacts at least Docker versions 18.06.1-ce, build e68fc7a
and 19.03.4, build 9013bf583a
.
It is not broken with Ubuntu kernel 4.4.0-154-generic #181-Ubuntu
but is with 4.4.0-166-generic #195-Ubuntu
.
Does this look like a bug in Docker, or should I report it to different project?