File permissions prevent nextjs user from reading app files (entrypoint, public/, schema.sql) #458
Description
Description
The Docker image sets files owned by root with restrictive permissions that prevent the nextjs user from reading them at runtime.
Affected Files
-
/app/docker-entrypoint.sh— permissions711(owner rwx, others execute-only)./bin/shneeds to read the script to interpret it, but thenextjsuser only has execute permission. Error:/bin/sh: 0: cannot open /app/docker-entrypoint.sh: Permission denied -
/app/public/brandand/app/public/office-sprites/cc0-hero— directories not readable/traversable bynextjsuser. Error:EACCES: permission denied, scandir '/app/public/brand' -
/app/src/lib/schema.sql— not readable bynextjsuser. Error:EACCES: permission denied, open '/app/src/lib/schema.sql'
Steps to Reproduce
docker run -d --name mc-test -p 3900:3000 -e PORT=3000 \
ghcr.io/builderz-labs/mission-control:latest
docker logs mc-test
# Output: /bin/sh: 0: cannot open /app/docker-entrypoint.sh: Permission deniedRoot Cause
The Dockerfile uses RUN chmod +x /app/docker-entrypoint.sh which sets the file to 711. Since the container runs as USER nextjs (not root), /bin/sh cannot read the script — it can only execute binaries, not interpret shell scripts with execute-only permission.
Similarly, files and directories under /app/public/ and /app/src/ are owned by root with no read permission for other users.
Suggested Fix
In the Dockerfile, before USER nextjs:
RUN chmod 755 /app/docker-entrypoint.sh && \
chmod -R a+rX /app/public/ /app/src/Or more broadly: RUN chmod -R a+rX /app/
Current Workaround
Override entrypoint in docker-compose to fix permissions at runtime:
user: root
entrypoint: /bin/sh
command:
- -c
- "chmod -R a+rX /app/ && chmod 755 /app/docker-entrypoint.sh && su -s /bin/sh nextjs -c '/app/docker-entrypoint.sh'"Environment
- Image: latest (commit 69e89a9)
- Platform: arm64 (macOS)
- Docker Desktop 4.x