From 7b4fa407dd5e0741684c4a347f2a465ee92a504c Mon Sep 17 00:00:00 2001 From: Olliver Schinagl Date: Thu, 16 Oct 2025 15:41:30 +0200 Subject: [PATCH] Reduce need for privileged mode a bit more Currently the general advise is to just use privileged mode with docker/compose. From a security point of view this is obviously undesirable. One reason why privileged mode is needed, is because some packages [0] incorrectly set permissions on their (`-rwxr-x--- 501:staff package.json`) file. One would rightfully argue, that this doesn't matter, because docker runs as root and thus all permissions are granted anyway. However when working with volumes, this is no longer true, the docker user is mapped to some random UID and within our container we now get a permission denied error, because our remapped root user no longer has access. While we obviously should aim to fix this error upstream wherever possible, this could take years. Meanwhile lets put the root user into the `staff` group, which seems to be the permissions set by these misbehaving packages. Obviously this will break again once upstream or debian changes the mapping/permission at a later time. [0]: https://community.platformio.org/t/incorrect-permissions-for-several-packages-on-package-json/41733 Signed-off-by: Olliver Schinagl --- debian/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/Dockerfile b/debian/Dockerfile index 8bb1c03..68b576d 100644 --- a/debian/Dockerfile +++ b/debian/Dockerfile @@ -20,6 +20,8 @@ RUN \ /var/lib/apt/lists/* \ /usr/src/* +RUN usermod -U root -a -G staff + ENV UV_SYSTEM_PYTHON=true ENV PIP_ROOT_USER_ACTION=ignore