Merge pull request #250 from jmtd/OPENJDK-533-passwd-perms

jmtd · web-flow · commit ae9651139c34 · 2021-12-07T09:38:35.000Z
OPENJDK-533: test $HOME/passwd can be written to
diff --git a/modules/run/artifacts/opt/jboss/container/java/run/run-java.sh b/modules/run/artifacts/opt/jboss/container/java/run/run-java.sh
@@ -220,7 +220,11 @@ get_exec_args() {
 # Ensure that the running UID has the "jboss" passwd metadata
 # XXX: Maybe we should make this an entrypoint for the image?
 function configure_passwd() {
-  sed "/^jboss/s/[^:]*/$(id -u)/3" /etc/passwd > "$HOME/passwd"
+  # OPENJDK-533: this file is only writeable if the image uses the
+  # nss_wrapper module. ubi8/openjdk-17 does not.
+  if [ -w "$HOME/passwd" ]; then
+    sed "/^jboss/s/[^:]*/$(id -u)/3" /etc/passwd > "$HOME/passwd"
+  fi
 }
 
 # Start JVM
diff --git a/modules/user/configure.sh b/modules/user/configure.sh
@@ -6,3 +6,7 @@ set -e
 # This ID is registered static ID for the JBoss EAP product
 # on RHEL which makes it safe to use.
 groupadd -r jboss -g 185 && useradd -u 185 -r -g root -G jboss -m -d /home/jboss -s /sbin/nologin -c "JBoss user" jboss
+
+# OPENJDK-533: Some container runtimes (Docker) will fail to start if
+# the running UID cannot chdir to $HOME
+chmod og+x /home/jboss
