Stirling-PDF icon indicating copy to clipboard operation
Stirling-PDF copied to clipboard
Published 2 weeks ago verified publisher icon Stirling-Tools

[Bug]: Running Stirling-PDF in docker with --user (rootless, unprivileged)

Open quentinus95 opened this issue 1 year ago • 5 comments

The Problem

Hello, I'm reopening a new issue as #508 was closed while not solved.

Quoting the previous ticket:

I would like to know if it could be possible to allow using the user Docker directive, instead of only the environment variables.

Current configuration requires running the container as root, and then trust that it will switch to the specified UID/GID. This presents a security risk.

Could it be possible to allow the container to run as a non root? It was possible before version 0.13.

To be clear as maybe the previous ticket was not precise enough: the current way requiring PUID and PGID is not fitting those requirements, because it does not allow to run this container rootless.

To run the container without root permissions, the following command should work:

docker run -it --user 2000 frooodle/s-pdf:latest

Running this command with the two environment variables does not work either.

openFile(logs/invalid-auths.log,true) call failed. java.io.FileNotFoundException: logs/invalid-auths.log (Permission denied)

Could it be possible to allow this container to run rootless?

Big thanks!

Version of Stirling-PDF

latest

Last Working Version of Stirling-PDF

0.13

quentinus95 avatar Jun 30 '24 16:06 quentinus95

Not sure if this helps you but have you considered using podman? I'm using stirling pdf with a non root user and it works fine

jobritz avatar Jul 01 '24 11:07 jobritz

Assuming this is primarily a security issue and not because you don't have root access on your machine, couldn't you just use the userns remapping feature in docker? Inside the container root thinks its root but it's actually dockremap, so if root breaks out it'll just be an unprivileged user.

Ironically Stirling using a non-root user to run the application caused me some confusion because it turns out that the stirlingpdfuser inside the container is what needs permissions to certs files, and not the "root" user.

Unspec7 avatar Oct 05 '24 22:10 Unspec7

Note: issue is still valid in 0.18.1

quentinus95 avatar May 16 '25 19:05 quentinus95

Not sure if this helps you but have you considered using podman? I'm using stirling pdf with a non root user and it works fine

This worked OK except the container could not access /tmp folder. As a result uploading files became an issue.
I tried mounting /tmp and that didnt work either This was 1 month back so I working from memory.

tmjpugh avatar Jul 22 '25 16:07 tmjpugh

For anyone using podman, this setup worked for me:

podman run -d --name stirling-pdf --replace \
--user 1000:1000 \
--cap-drop=ALL \
--read-only \
-p 8080:8080 \
--mount=type=bind,src=./stirling-config,dst=/configs,U=true \
--mount=type=bind,src=./training-data,dst=/usr/share/tessdata \
--mount=type=tmpfs,dst=/tmp,U=true \
--mount=type=tmpfs,dst=/logs,U=true \
--mount=type=tmpfs,dst=/pipeline,U=true \
stirlingtools/stirling-pdf:1.5.0

Simon-official avatar Nov 05 '25 19:11 Simon-official

Does anyone have a guide for 2.0?

AKhozya avatar Nov 26 '25 22:11 AKhozya