Permissions for Persistent Storage Volumes

Some of the Docker containers read/write data to persistent storage volumes. They read/write using the UID/GID of the entrypoint process in the container.

Expected behavior

To allow for better access and administration of the files in these volumes, containers should ideally:

Create files/directories with the owning group set to servlets
Use a umask of 007: grants read/write permission to the owner and the servlets group.
Set the setgid bit on directories (i.e. 2770 chmod(8) value)

Implementation

The UID and GID of the container actually does not matter as long as the umask(2) of the container's process can be set. LinuxServer.io containers allow setting the umask using the UMASK environment variable.

To ensure files are created with the servlets GID, the root directory of each volume should have the SetGID bit set. This will ensure that files and directories created within the volume inherit the GID of their parent directory.

Services can have their own users on the host, or they can run as root. The UID/GID of the container does not matter as long as the umask is set. If it is not possible to specify a umask, run the container using the servlets GID. If using a custom UID, add the user to the servlets group.

Web App Overview

Automatic Start-up with systemd

Sending Emails from Web Apps

Permissions for Persistent Storage Volumes

Secure Web Application Gateway

Authentik - Identity & SSO Provider

Guacamole - Remote Access

BookStack - Personal wiki

Portainer - Container Manager

Bitwarden - Password Manager

Jellyfin - Media Streaming

VPN

Syncthing

SSH

Email

Postfix

Dovecot

DKIM Milter

[Superseded] Authelia - Authentication & SSO

Heimdall - App Launcher

Vikunja - Task Manager & To-Do List

Paperless - Document Management

Send - Temporary File Sharing

Permissions for Persistent Storage Volumes

Expected behavior

Implementation

No Comments