Gossa requires dac_override for some reason

[jeslinmx]

Following the recommendations on https://www.redhat.com/en/blog/secure-your-containers-one-weird-trick, I was seeing if I could secure my docker set-up a little by dropping all capabilities. This works fine on many containers without any changes, except those that bind to a port number below 1024 by default (since that requires net_bind_service).

For some reason, gossa is unable to make any changes to the volume mounted on /shared without dac_override (uploads and deletions just fail silently). From man 7 capabilities:

CAP_DAC_OVERRIDE
    Bypass file read, write, and execute permission checks. (DAC is an abbreviation of "discretionary access control".) 

Now, I don't know much about capabilities or how Go writes files, but 2 things have got me confused:

1. Other containers can make changes on docker volumes without dac_override
2. I am running gossa as an unprivileged user, while privileges only apply to root (AFAIK dac_override is what allows root to mess around with files it does not own, even if the permissions do not allow it)

(I recognize this is probably not an issue with gossa but with my lack of understanding, so if anyone could indulge me with an explanation I would be extremely thankful)

[pldubouilh]

interesting - just throwing this (untested) can you try using plain ubuntu docker image (instead of alpine) and with a gossa build with the cgo_enabled directive removed ?

I'll merge your other PRs next week - probably along with the few other changes I did in #30 :)

[jeslinmx]

Testing: master...jeslinmx:hotfix

...nope, it doesn't work.