[Error] Distrobox messes up file permissions when run in container

[jpf91]

Describe the bug

In a somewhat complex setup (see reproduction section), files that should be owned by root are for some reason start to be owned by the user in the distrobox containers at some point:

distrobox enter fedora_d
ls -la /etc/ | grep sudoers
-r--r----- 1 jpfau  jpfau    4375 Dec 24 20:07 sudoers

To Reproduce

Setup

I use a docker-compose setup based on linuxerver-openssh (alpine linux). I use this configuration:

docker-compose.yml:

---
services:
  openssh-server:
    image: lscr.io/linuxserver/openssh-server:latest
    container_name: openssh-server
    hostname: shell
    privileged: true
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
      - PUBLIC_KEY_DIR=/pubkeys
      - SUDO_ACCESS=true
      - PASSWORD_ACCESS=false
      - USER_NAME=jpfau
      - LOG_STDOUT=
    volumes:
      - /var/mnt/ssd/openssh:/config
      - /var/home/core/config/openssh/init:/custom-cont-init.d:ro
      - /var/home/core/config/openssh/pubkeys:/pubkeys:ro
    ports:
      - 222:2222
    restart: unless-stopped

Here /var/mnt/ssd/openssh is where podman (run inside the container) will place its storage. /var/home/core/config/openssh/init contains a custom script to install distrobox and /var/home/core/config/openssh/pubkeys contains an SSH public key so that we can connect to the container. Adjust these paths to match your local setup.

distrobox.sh should be placed in /var/home/core/config/openssh/init to install distrobox on container creation:

#!/bin/bash

if ! [ -f /podman.installed ]; then
  echo "**** installing distrobox ****"
  apk add --no-cache distrobox libstdc++
  # https://wiki.alpinelinux.org/wiki/Podman
  echo "**** configuring podman ****"
  #sed 's/driver = "overlay"/driver = "vfs"/' -i /etc/containers/storage.conf
  echo "$USER_NAME:100000:65536" > /etc/subuid
  echo "$USER_NAME:100000:65536" > /etc/subgid
  touch /podman.installed
fi
mount --make-rshared /

Place a SSH public key into /var/home/core/config/openssh/pubkeys/mykey.pub so you can log in.

Reproducing the issue

First, start the container:

docker-compose up

Connect into the container using SSH. Then:

podman run --name fedora -it fedora:41 /bin/bash
exit

distrobox create -i fedora:41 fedora_d
distrobox enter fedora_d
exit

Stop the docker-compose command (CTRL+C). Then destroy the container and recreate it.

docker-compose rm
docker-compose up

Connect into the container using SSH again. Then:

podman ps -a
CONTAINER ID  IMAGE                                 COMMAND               CREATED         STATUS                      PORTS       NAMES
a5143ec72d8a  registry.fedoraproject.org/fedora:41  --verbose --name ...  12 minutes ago  Exited (143) 2 minutes ago              fedora_d
37b192a1b4f2  registry.fedoraproject.org/fedora:41  /bin/bash             11 minutes ago  Exited (0) 11 minutes ago               fedora

podman start fedora
fedora
podman exec -it fedora /bin/bash
ls -la /etc | grep sudoers
-r--r----- 1 root root   4375 Jul 20 00:00 sudoers
exit

But when using distrobox:

distrobox enter fedora_d
ls -la /etc/ | grep sudoers
-r--r----- 1 jpfau  jpfau    4375 Dec 24 20:07 sudoers

Expected behavior
Files in /etc should still be owned by root.

Logs
distrobox_enter.log

Desktop (please complete the following information):

• podman 5.2.5
• distrobox 1.7.2.0 installed using package manager
• Host: Alpine Linux 3.20 Container (Inside Docker, on Fedora CoreOS 40)