stuhood
commented
1 year ago @illicitonion pointed out that https://docs.docker.com/engine/security/userns-remap/ may also be part of the solution here.
Open stuhood opened 1 year ago
stuhood
commented
1 year ago @illicitonion pointed out that https://docs.docker.com/engine/security/userns-remap/ may also be part of the solution here.
As reported in #18306 and mostly addressed in #18327, files in the sandbox bind mount may end up owned by root on Linux. To ensure that they can still be captured, #18327 made them readable, but they will not be able to be removed.
To avoid this problem, we might need to create a user in the container to chown them to. Alternatively, it's possible that a variant of the strategy originally employed by #18225 (tar-pipes) could be used to capture outputs as well, so that we skipped the bind mount entirely.