Setfacl not permitted with non-root user

I have a problem with ACL on docker debian container
First of all :

  • I’m using docker Desktop for Windows
  • I have check the storage driver, it is overlay2 (supposed to support ACL)
  • I’m working on a dbian:10 base image

In my dockerfile I create a non-root user, let’s say “admin”
During Dockerfile build I give the “admin” user the ACL rights rwx on a directory

setfacl -m u:admin:rwx /app
setfacl -d -m u:admin:rwx /app
and others subdirectories for managing app version thanks to app mecanism (old/current/next version)
setfacl -m u:admin:rwx /current
setfacl -d -m u:admin:rwx /current
setfacl -m u:admin:rwx /next
setfacl -d -m u:admin:rwx /next

Important to know, as they are done during build, they are executed as root user

As some folder operation have to be done by apache2 serveur (moving current to old and next to current and so on), I give the same permissions to users www-data

But when running the container, the application based on apache2 serveur is doing some renamming operation as www-data, I have some errors with the mv operation made by www-data thrown by application

In addition when I check the permissions, they looks good on app folder and subfolders
www-data:rwx and defaults
admin:rwx and defaults

When I try to do the same operation with admin user, I have the same errors even if thoerically I would have the permsissions to do it
Also, setting and resttings ACL permissions is giving et setfacl “Operation not permitted” aven if I have the rights to do it

Is there a specific permissions over RWX to manage permissions with ACL ? is it only root user that can do it ?

The workaround I already found is that moving/renaming folder one time with root user permit all others users with permissions to do it after. This “workaround renamings” can be done during build or when container is running. after that everything looks good
it looks that users that have the correct permissions are not correctly applied as soon as there is no special operation after first layer creation

What’s your thoughts about this problem ?

Thank you in advance

EDIT: in fact moving folder during build is not workarounding, I have to do it entrypoint when running so

Three days passed since you opened the topic, so I tried harder to undestand your questiony so you could get an answer finally, but I still dont fully understand. Can you create a small demo Dockerfile and docker run command that shows the error? I tried to follow your explanation about www-data and admin and what Apache 2 server has to do, but without an example, I am confused.

Thank you for your answer. Sorry to be not clear.
I’ll comeback as soon as possible with a simple example