System.UnauthorizedAccessException in chiseled image when writing to file. #4482

lzandman · 2023-03-09T14:19:11Z

lzandman
Mar 9, 2023

I'm trying to run a .Net Core web app in the mcr.microsoft.com/dotnet/nightly/aspnet:7.0-jammy-chiseled chiseled container. It works fine when run in the regular mcr.microsoft.com/dotnet/aspnet:7.0 container. It also runs fine in the chiseled container when I use docker run -u root. But when run without -u root, I get an exception:

Unhandled exception. System.UnauthorizedAccessException: Access to the path '/ServerMock/my.key' is denied.
 ---> System.IO.IOException: Permission denied
   --- End of inner exception stack trace ---
   at Interop.ThrowExceptionForIoErrno(ErrorInfo errorInfo, String path, Boolean isDirError)
   at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String path, OpenFlags flags, Int32 mode, Func`4 createOpenException)
   at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, UnixFileMode openPermissions, Int64& fileLength, UnixFileMode& filePermissions, Func`4 createOpenException)
   at System.IO.File.OpenHandle(String path, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize)
   at System.IO.File.WriteToFile(String path, FileMode mode, String contents, Encoding encoding)
   at 

...

   at Program.<Main>$(String[] args) in /src/Program.cs:line 38

I think it should also be able to run as the non-root user (whose UID is 101, if I understand correctly).

I'm copying my app files using the --chown 101 argument and on the non-chiseled container I can see all permissions getting set properly. So the folder /ServerMock and its contents are owned by UID 101. That folder is also the current working directory. However, on the chiseled container there's no shell and no easy way, that I know of, to check file permissions.

Does anybody know a fix?

mthalman · 2023-03-09T14:29:18Z

mthalman
Mar 9, 2023
Maintainer

https://github.com/wagoodman/dive is a great tool for inspecting the file system, including permissions. That will allow you to target your chiseled container image.

Can you show how your Dockerfile is configured?

0 replies

biapar · 2024-08-01T20:01:28Z

biapar
Aug 1, 2024

Try this:

WORKDIR /app
COPY --from=publish /app/publish .
USER root
RUN chown -R $APP_UID:$APP_UID /app
USER $APP_UID
ENTRYPOINT ["dotnet", "xxxx.dll"]

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

System.UnauthorizedAccessException in chiseled image when writing to file. #4482

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

System.UnauthorizedAccessException in chiseled image when writing to file. #4482

Uh oh!

lzandman Mar 9, 2023

Replies: 2 comments

Uh oh!

mthalman Mar 9, 2023 Maintainer

Uh oh!

biapar Aug 1, 2024

lzandman
Mar 9, 2023

mthalman
Mar 9, 2023
Maintainer

biapar
Aug 1, 2024