Skip to content

Portable memory is not writable across host/container UID mismatches #141

@mostlydev

Description

@mostlydev

Summary

internal/driver/shared/PreparePortableMemory does not normalize permissions on pre-existing portable-memory directories and files.

Because Clawdapus bind-mounts host state into containers, the numeric host owner is preserved inside the container. That is expected. The bug is that Clawdapus leaves existing portable-memory content at owner-only or owner-group-only modes such as 0775 directories and 0644 files, which are not writable when the runtime UID differs from the host UID that originally created the files.

Current Code

  • PreparePortableMemory calls os.MkdirAll(memoryDir, 0o777), but MkdirAll does not change the mode of an already existing directory.
  • Seeded files MEMORY.md and USER.md are created with 0o644.
  • Imported legacy files keep their original source permissions.
  • The helper returns without any normalization pass.

This helper is used across multiple drivers, including OpenClaw, Hermes, Nanobot, PicoClaw, MicroClaw, NanoClaw, and NullClaw.

Why This Is A Bug

Portable memory is supposed to survive driver changes and different container base images. That means the mount must remain writable even when the runtime user changes.

Today, if the host-side memory tree already exists and is owned by a different UID than the container runtime, the bind mount appears inside the container with that preserved numeric owner. With modes like 0775 and 0644, the agent can read memory but cannot create or update files such as session.md, MEMORY.md, or USER.md.

This presents as a permissions failure, but the root problem is Clawdapus not normalizing a UID-portable permission model for its own managed memory surface.

Reproduction

  1. Materialize a service so .claw-memory/<service>/memory exists on the host.
  2. Ensure the existing directory and files are owned by one UID and use typical modes such as 0775 for dirs and 0644 for files.
  3. Run the service in a container as a different UID.
  4. Attempt to create or update a file under /claw/memory from inside the container.

Observed

Writes fail with EACCES even though Clawdapus advertises the portable-memory mount as writable.

Expected

Clawdapus should normalize the permissions of the managed portable-memory tree on every materialization so the mount remains writable across host/container UID differences.

At minimum:

  • normalize portable-memory directories to a runtime-writable mode such as 0777
  • normalize regular files in the managed tree to a runtime-writable mode such as 0666
  • skip symlinks when normalizing
  • add regression coverage for pre-existing dirs/files, not just first-create behavior

Scope

This is not a user-specific shell account naming problem. The preserved numeric owner on a bind mount is expected; the missing normalization in Clawdapus is the bug.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions