UPDATE 2023-08-28

The bug is now fixed, you only need to update to the newest version of docker on affected systems!


Yesterday night I have tried to build a container running a python-application as non-root user and I stumbled onto a bug currently tracked as #2029523.

Example Dockerfile:

FROM alpine:latest


RUN adduser -S -D -h /home/test test && ls -al /home/test

WORKDIR /home/test

COPY --chown=test:nogroup foo.txt foo.txt

USER test

RUN whoami && ls -al . && touch bar.txt 

The file foo.txt is a plain text file containing only the single word ‘bar’.

When building this I received the following output:

Sending build context to Docker daemon  3.072kB
Step 1/7 : FROM alpine:latest
 ---> 0ac33e5f5afa
Step 2/7 : ENV BUSTCACHE=3
 ---> Running in 20d084e54de3
Removing intermediate container 20d084e54de3
 ---> 36cc74608666
Step 3/7 : RUN adduser -S -D -h /home/test test && ls -al /home/test
 ---> Running in a2c0f3d6d5c0
total 8
drwxr-sr-x    2 test     nogroup       4096 Aug 19 19:07 .
drwxr-xr-x    1 root     root          4096 Aug 19 19:07 ..
Removing intermediate container a2c0f3d6d5c0
 ---> f8088bc09622
Step 4/7 : WORKDIR /home/test
 ---> Running in 2fd8b443ca40
Removing intermediate container 2fd8b443ca40
 ---> 0f7bdf16cd55
Step 5/7 : COPY --chown=test:nogroup foo.txt foo.txt
 ---> 6522c1dc6c94
Step 6/7 : USER test
 ---> Running in c15ff0925394
Removing intermediate container c15ff0925394
 ---> 49f101815fc5
Step 7/7 : RUN whoami && ls -al . && touch bar.txt
 ---> Running in 2024b933af3f
total 12
drwxr-sr-x    1 root     root          4096 Aug 19 19:07 .
drwxr-xr-x    1 root     root          4096 Aug 19 19:07 ..
-rw-rw-r--    1 root     root             4 Aug 19 18:43 foo.txt
touch: bar.txt: Permission denied
The command '/bin/sh -c whoami && ls -al . && touch bar.txt' returned a non-zero code: 1

So for a reason I did not understand and could not circumvent (I tried manually chowning, ADD instead of COPY aso) in any way, between step 3 and 7 the home directory of the newly created user and its content is switching its owner to UID/GID 0 (aka root) instead of being owned by the newly created user in step 3.

I gave up after about banging my head at this for about 90 minutes, still of the firm belief that I somehow messed this rather common operation up. But since I wasn’t ready to deploy yet anyways I was fine with running as root inside the container for the time being.

Since I could not find anything helpful regarding the error via the usual sources, I tried another version bundled with Docker Desktop and found this building as expected.

I suggest to check if you have used the exact build version bundled with ubuntu 20.04 20.10.25-0ubuntu1~20.04.1 (focal) and 22.04 20.10.25-0ubuntu1~22.04.1 (jammy) since having all added files to a container image owned by UID/GID 0 might have unwanted side-effects. I will certainly do so on Monday.

So hopefully with this writeup I can save some people from wasting time and energy into this issue upon build.