unexpected uid 1001 owns /workspace, cnb is 1002

[kojiromike]

The default user after building is cnb, with a uid of 1002. However, workspace is owned by 1001, a uid that doesn't exist! This is unaffected by the --uid flag to pack.

Expected Behavior

• uids that own files should exist.
• The pack build --uid flag should set the uid of the user.
• Maybe cnb should own the /workspace directory

Current Behavior

The uid that owns /workspace is not the uid of the user cnb; however, the group that owns /workspace is the group of cnb. Also, the uid that owns /workspace doesn't have an entry in /etc/passwd. Also, the --uid flag to pack doesn't affect this.

Steps to Reproduce

git clone -q https://github.com/paketo-buildpacks/sample
cd sample/php/builtin-server
pack build php-builtin-server-sample --buildpack paketo-buildpacks/php  --builder paketobuildpacks/builder-jammy-full

…then…

$ docker inspect php-builtin-server-sample -f '{{.Config.User}}'
1002:1000

and

docker run --entrypoint bash --rm -ti php-builtin-server-sample -xc 'pwd; whoami; id -u; ls -adl .; grep -E "1001|cnb" /etc/passwd'
+ pwd
/workspace
+ whoami
cnb
+ id -u
1002
+ ls -adl .
drwxrwxrwx 3 1001 cnb 4096 Jan  1  1980 .
+ grep -E '1001|cnb' /etc/passwd
cnb:x:1002:1000::/home/cnb:/bin/bash

Also, even if you add --uid to the pack command…

$ pack build php-builtin-server-sample --uid 1001 --buildpack paketo-buildpacks/php  --builder paketobuildpacks/builder-jammy-full
Warning: No schema version declared in project.toml, defaulting to schema version 0.1
Warning: Exporting to docker daemon (building without --publish) and daemon uses containerd storage; performance may be significantly degraded.
For more information, see https://github.com/buildpacks/pack/issues/2272.
latest: Pulling from paketobuildpacks/builder-jammy-full
Digest: sha256:4014fa6a257188f0c7049d6d5673a7bbc90596096838c90e47fb8836b723bf7d
Status: Image is up to date for paketobuildpacks/builder-jammy-full:latest
latest: Pulling from paketobuildpacks/run-jammy-full
Digest: sha256:973a46f5b648a718a1472cecca0403fb898d7c16d4fafe51931f05e06a9c2e9e
Status: Image is up to date for paketobuildpacks/run-jammy-full:latest
===> ANALYZING
Restoring data for SBOM from previous image
===> DETECTING
target distro name/version labels not found, reading /etc/os-release file
2 of 9 buildpacks participating
paketo-buildpacks/php-dist           2.3.25
paketo-buildpacks/php-builtin-server 0.4.39
===> RESTORING
Restoring metadata for "paketo-buildpacks/php-dist:php" from app image
===> BUILDING
target distro name/version labels not found, reading /etc/os-release file
Paketo Buildpack for PHP Distribution 2.3.25
  Resolving PHP version
    Candidate version sources (in priority order):
      <unknown> -> ""

    Selected PHP version (using <unknown>): 8.1.28
      Version 8.1.28 of PHP is deprecated.
      Migrate your application to a supported version of PHP.

  Reusing cached layer /layers/paketo-buildpacks_php-dist/php

Paketo Buildpack for PHP Built-in Server 0.4.39
  Assigning launch processes:
    web (default): bash -c php -S 0.0.0.0:"${PORT:-80}" -t htdocs

===> EXPORTING
Reusing layer 'paketo-buildpacks/php-dist:php'
Reusing layer 'buildpacksio/lifecycle:launch.sbom'
Reused 1/1 app layer(s)
Reusing layer 'buildpacksio/lifecycle:launcher'
Reusing layer 'buildpacksio/lifecycle:config'
Reusing layer 'buildpacksio/lifecycle:process-types'
Adding label 'io.buildpacks.lifecycle.metadata'
Adding label 'io.buildpacks.build.metadata'
Adding label 'io.buildpacks.project.metadata'
Setting default process type 'web'
Saving php-builtin-server-sample...
*** Images (823e6e2ef918):
      php-builtin-server-sample
Successfully built image php-builtin-server-sample
$ docker run --platform linux/amd64 --entrypoint bash --rm -ti php-builtin-server-sample -xc 'pwd; whoami; id -u; ls -adl .; grep -E "1001|cnb" /etc/passwd'
+ pwd
/workspace
+ whoami
cnb
+ id -u
1002
+ ls -adl .
drwxrwxrwx 3 1001 cnb 4096 Jan  1  1980 .
+ grep -E '1001|cnb' /etc/passwd
cnb:x:1002:1000::/home/cnb:/bin/bash
$ docker inspect php-builtin-server-sample -f '{{.Config.User}}'
1002:1000

Motivations

I have been trying to debug an issue with permissions on the built image. I'm not sure this uid strangeness directly affected the problem, but it seemed relevant and was at least a distraction and unexpected state.

[kojiromike]

Actually, the behavior does make the filesystem permissions more difficult to work with. While, /workspace is user and group rw, files that are added to it seem to maintain their existing permissions. So if those files are user read-write, but group only read, then the cnb user will not be able to write to any subdirectories.