permission denied for chown in entrypoint.sh #734
Description
The problem
Line 12 in entrypoint.sh fails with:
chown: cannot read directory '/home/.local/share/signal-cli': Permission denied
I just pasted the examples from this repo (and the signalbot python package) and they did not work. I always get the following error:
> sudo docker run -v /home/jp/projects/jo/ei:/home/.local/share/signal-cli bbernhard/signal-cli-rest-api:latest
+ set -e
+ [ -z /home/.local/share/signal-cli ]
+ usermod -u 1000 signal-api
usermod: no changes
+ groupmod -o -g 1000 signal-api
+ chown 1000:1000 -R /home/.local/share/signal-cli
chown: cannot read directory '/home/.local/share/signal-cli': Permission denied
I even edited the entrypoint.sh and build the image locally (with podman) so that I can get some more information. See the following commands:
> id
uid=1000(jp) gid=1000(jp) groups=1000(jp),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> ls -ln /home/jp/projects/jo
total 4
drwxr-xr-x. 1 1000 1000 0 11. Aug 14:58 ei/
-rw-r--r--. 1 1000 1000 589 11. Aug 15:10 Justfile
> head -n 19 ../scra/entrypoint.sh
#!/bin/sh
set -x
set -e
[ -z "${SIGNAL_CLI_CONFIG_DIR}" ] && echo "SIGNAL_CLI_CONFIG_DIR environmental variable needs to be set! Aborting!" && exit 1;
usermod -u ${SIGNAL_CLI_UID} signal-api
groupmod -o -g ${SIGNAL_CLI_GID} signal-api
# Fix permissions to ensure backward compatibility
echo "Hello World"
whoami
id
ls -la /home/.local/share
ls -lan /home/.local/share
ls -lan ${SIGNAL_CLI_CONFIG_DIR}/
chown ${SIGNAL_CLI_UID}:${SIGNAL_CLI_GID} -R ${SIGNAL_CLI_CONFIG_DIR}
> podman run -v /home/jp/projects/jo/ei:/home/.local/share/signal-cli custom-scra
+ set -e
+ [ -z /home/.local/share/signal-cli ]
+ usermod -u 1000 signal-api
usermod: no changes
+ groupmod -o -g 1000 signal-api
Hello World
+ echo Hello World
+ whoami
root
+ id
uid=0(root) gid=0(root) groups=0(root)
+ ls -la /home/.local/share
total 0
drwxr-xr-x. 1 root root 20 Aug 11 13:52 .
drwxr-xr-x. 1 root root 10 Aug 11 13:52 ..
drwxr-xr-x. 1 root root 0 Aug 11 12:58 signal-cli
+ ls -lan /home/.local/share
total 0
drwxr-xr-x. 1 0 0 20 Aug 11 13:52 .
drwxr-xr-x. 1 0 0 10 Aug 11 13:52 ..
drwxr-xr-x. 1 0 0 0 Aug 11 12:58 signal-cli
+ ls -lan /home/.local/share/signal-cli/
ls: cannot open directory '/home/.local/share/signal-cli/': Permission denied
I am convinced this is a me problem xD but I didn't find anything for the last 3 hours.
Here my specs
> sudo docker info
Client:
Version: 28.3.3
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: 0.26.1
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: 2.39.1
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 7
Running: 0
Paused: 0
Stopped: 7
Images: 2
Server Version: 28.3.3
Storage Driver: overlay2
Backing Filesystem: btrfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
CDI spec directories:
/etc/cdi
/var/run/cdi
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: /usr/bin/tini-static
containerd version: 1.fc42
runc version:
init version:
Security Options:
seccomp
Profile: builtin
selinux
cgroupns
Kernel Version: 6.15.9-201.fc42.x86_64
Operating System: Fedora Linux 42 (KDE Plasma Desktop Edition)
OSType: linux
Architecture: x86_64
CPUs: 16
Total Memory: 30.72GiB
Name: fedora-2.fritz.box
ID: 063410ab-b8b4-43f1-8d21-707d601b0c7f
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
::1/128
127.0.0.0/8
Live Restore Enabled: false
> podman info
host:
arch: amd64
buildahVersion: 1.40.1
cgroupControllers:
- cpu
- io
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.13-1.fc42.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.13, commit: '
cpuUtilization:
idlePercent: 96.18
systemPercent: 1.45
userPercent: 2.38
cpus: 16
databaseBackend: sqlite
distribution:
distribution: fedora
variant: kde
version: "42"
eventLogger: journald
freeLocks: 2037
hostname: fedora-2.fritz.box
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
kernel: 6.15.9-201.fc42.x86_64
linkmode: dynamic
logDriver: journald
memFree: 6753775616
memTotal: 32989073408
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns-1.15.0-1.fc42.x86_64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 1.15.0
package: netavark-1.15.2-1.fc42.x86_64
path: /usr/libexec/podman/netavark
version: netavark 1.15.2
ociRuntime:
name: crun
package: crun-1.23.1-1.fc42.x86_64
path: /usr/bin/crun
version: |-
crun version 1.23.1
commit: d20b23dba05e822b93b82f2f34fd5dada433e0c2
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: passt-0^20250805.g309eefd-2.fc42.x86_64
version: |
pasta 0^20250805.g309eefd-2.fc42.x86_64
Copyright Red Hat
GNU General Public License, version 2 or later
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
remoteSocket:
exists: true
path: /run/user/1000/podman/podman.sock
rootlessNetworkCmd: pasta
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: false
slirp4netns:
executable: ""
package: ""
version: ""
swapFree: 62276886528
swapTotal: 62277017600
uptime: 13h 59m 11.00s (Approximately 0.54 days)
variant: ""
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.io
store:
configFile: /home/jp/.config/containers/storage.conf
containerStore:
number: 5
paused: 0
running: 0
stopped: 5
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/jp/.local/share/containers/storage
graphRootAllocated: 214730539008
graphRootUsed: 81422860288
graphStatus:
Backing Filesystem: btrfs
Native Overlay Diff: "true"
Supports d_type: "true"
Supports shifting: "false"
Supports volatile: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 96
runRoot: /run/user/1000/containers
transientStore: false
volumePath: /home/jp/.local/share/containers/storage/volumes
version:
APIVersion: 5.5.2
BuildOrigin: Fedora Project
Built: 1750723200
BuiltTime: Tue Jun 24 02:00:00 2025
GitCommit: e7d8226745ba07a64b7176a7f128e4ef53225a0e
GoVersion: go1.24.4
Os: linux
OsArch: linux/amd64
Version: 5.5.2
Are you using the latest released version?
- Yes
Have you read the troubleshooting page?
- Yes
What type of installation are you running?
signal-cli-rest-api Docker Container
In which mode are you using the docker container?
Normal Mode
What's the architecture of your host system?
x86-64
Additional information
No response