Docker: Why does the UID for www-data not match the host?

ℹ️ Support 📦 Appliances (Docker, Snappy, VM, NCP, AIO)
1

A bit new to Docker, trying to figure out how to handle permissions

www-data on the host has uid and gid 33:

user@host:~$ id www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)

But in the docker container, it is 82:

user@host:~$ docker exec --user www-data nextcloud-0 id
uid=82(www-data) gid=82(www-data) groups=82(www-data).

My ./nextcloud dir is owned by 82:root, as opposed to www-data because there is no user with gid 82 on the host machine, as seen on ls -l.

drwxr-xr-x 15 82 root 4096 Jan 25 09:27 nextcloud

What are the security implications of this? Should I take any measures to fix this? Is it a good idea to run as uid 33 from inside the container instead, and if so, how would I accomplish this?

Here is the nextcloud bit of my docker-compose.yml

 nextcloud:
    image: nextcloud:fpm-alpine
    container_name: nextcloud-0
    restart: always
    networks:
      - web
      - nc
    depends_on:
      - mariadb
      - redis
    volumes:
      - ./nextcloud:/var/www/html
    # - ./nextcloud/log:/var/log/nextcloud
      - ./mariadb:/var/lib/mysql
      - /etc/localtime:/etc/localtime:ro
    environment:
      - MYSQL_HOST=mariadb
    env_file:
      - mariadb.env

Thanks to everyone in advance

2

use volumes. your volumes will be created below /var/lib/docker/volumes and will be handle by docker. so you don’t have to handle permissions.

the security idea of docker is to isolate processes and services. if an attacker from outside breaks into one container he can only access the data reachable by processes running in it. if you run additional services on your hosts and an attacker breaks into that service he can reach all data readable to him. if you mess up rights and ownership of directories and because of this they are shared among host and containers that will be your security implication.

/var/lib/docker/volumes is set to root:root 0700 and thus out of reach for normal user/processes on the host.

if you want to use a host directory just don’t care about the uid. linux doesn’t care either. ls -l looks only ugly to you. :wink:
using volumes would look like:

why to you want the mariadb datafiles inside the fpm container?

if you want to access your data on your host. you my use the - -datadir option while creating your nextcloud instance with occ maintenance:install. and map that container directory to a host directory.