How to fix permission denial for /dev/stdout when using su inside podman container ?
Environment
- RHEL 8.6 onwards
Issue
$ sudo podman exec container-name sh -c "id; su -c 'echo test > /dev/stdout' username"
bash: /dev/stdout: Permission denied
Resolution
- This issue is primarily caused by the use of su and this is how the latest versions of kernel behave
/dev/stdoutis a symlink to/proc/self/fd/1which in turn is a symlink to the terminal. This file is owned and writable by the user currently logged in. When an su is performed, the user is just switched but neither the permissions nor the ownership of the file is changed and the user that is switched to is unable to write to it- There may be few workarounds that avoids this issue
- Find ways to avoid using su and run the commands directly as the user that is logged in
- Make sure that all the user inside the container has appropriate permissions to write to the std files or at least stdout. This can be done by running a simple chmod command from the Containerfile when the image is built
- A group can be created, add the user to this group and assign sufficient permissions to this group so that the users in the group can write to the files
- Avoid the use of writing to
/dev/stdoutand directly print it to terminal using 'echo'
Root Cause
- Usage of su doesn't necessarily assign the required permission to the user
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments