Feature Request: Disable chown on upload (support for rootless OpenShift)

[JZacharie]

Description
I'm running Filebrowser in a rootless container on OpenShift, where the container does not have permission to execute chown.
When uploading a file, the upload succeeds and the file is written to disk, but Filebrowser attempts to change file ownership, which fails due to OpenShift security constraints. This triggers an upload alert/error even though the file upload is successful.

I would like to request a way to disable the chown operation during file upload, ideally via an environment variable (e.g. FB_DISABLE_CHOWN=true).
This would allow rootless deployments on OpenShift / Kubernetes to run without unnecessary warnings.

I am willing to contribute a PR if this feature aligns with the project's direction — just want to confirm there is not already a config option for this.

Expected behaviour
File uploads should succeed without displaying warnings in environments where chown is not permitted.
When a dedicated option is enabled, Filebrowser should skip chown on uploaded files.

What is happening instead?

• File is uploaded successfully ✅
• Filebrowser tries to run chown ❌
• Upload UI shows an alert / warning ⚠️
• Logs include permission denied errors related to chown

(Note: I can provide exact logs once needed — their content relates to permission denied syscall on chown)

Additional context
This applies to rootless environments such as:

• OpenShift restricted SCC
• Podman rootless mode
• Kubernetes with security hardening where only fsGroup is allowed

Skipping chown is acceptable in my case because the Kubernetes security context already manages file permissions.

I am also preparing a Helm chart for Filebrowser deployment on OpenShift and can share it as reference.

How to reproduce?

1. Deploy Filebrowser on OpenShift using a rootless container (restricted SCC)
2. Attempt to upload a file via the web UI
3. File uploads, but UI shows an error/warning
4. Logs show chown permission denied messages

Files
I will share the Helm chart for the pilot deployment when needed.
(Upload logs available if required)

[gtsteffaniak]

What exactly is the chown related error? There is no change in ownership for any files, (no chown). But you can specify the ownership of the files on write:

filebrowser/backend/adapters/fs/fileutils/file.go

Lines 12 to 18 in 8b1bf3c

	var PermFile os.FileMode
	var PermDir os.FileMode
	func SetFsPermissions(PermFileOctal os.FileMode, PermDirOctal os.FileMode) {
	PermFile = PermFileOctal
	PermDir = PermDirOctal
	}

are you seeing this error?

could not move file from chunked folder to destination or something else.

This is probably more related to temp directory permissions than anything, you will probably need to mount a temp directory with permissions filebrowser can write to, see docs.

[JZacharie]

I manage the temporary files in an empty folder.

Below is the configuration.

OpenShift enforces a non-root capability and blocks all chown operations.

At the end, the files are uploaded, but an error occurs during the post-copy operation, specifically in the chown step.
The request is to add an environment variable to disable the SetFsPermissions function.

20251031-0636-36.5849449.mp4

Here is the sanitized deployment YAML:

---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: fb-admin
  labels:
    app.kubernetes.io/controller: main
    app.kubernetes.io/instance: fb-admin
    app.kubernetes.io/name: fb-admin
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/controller: main
      app.kubernetes.io/instance: fb-admin
      app.kubernetes.io/name: fb-admin
  template:
    metadata:
      creationTimestamp: null
      labels:
        app.kubernetes.io/controller: main
        app.kubernetes.io/instance: fb-admin
        app.kubernetes.io/name: fb-admin
    spec:
      restartPolicy: Always
      serviceAccountName: default
      schedulerName: default-scheduler
      enableServiceLinks: false
      terminationGracePeriodSeconds: 30
      securityContext: {}
      containers:
        - resources:
            limits:
              cpu: 500m
              memory: 1Gi
            requests:
              cpu: 250m
              memory: 512Mi
          terminationMessagePath: /dev/termination-log
          name: filebrowser
          env:
            - name: FILEBROWSER_ADMIN_PASSWORD
              value: '*****************'
            - name: FILEBROWSER_CONFIG
              value: /config/config.yaml
            - name: FILEBROWSER_DISABLE_AUTOMATIC_BACKUP
              value: 'true'
          ports:
            - name: http
              containerPort: 8080
              protocol: TCP
          imagePullPolicy: IfNotPresent
          volumeMounts:
            - name: config
              readOnly: true
              mountPath: /config
            - name: root
              mountPath: /srv
            - name: tmp
              mountPath: /tmp
            - name: filebrowsertmp
              mountPath: /home/filebrowser/tmp
            - name: cache
              mountPath: /.cache
            - name: database
              mountPath: /home/filebrowser/data
          terminationMessagePolicy: File
          image: gtstef/filebrowser:beta'
      automountServiceAccountToken: true
      serviceAccount: default
      volumes:
        - name: root
          emptyDir: {}
        - name: filebrowsertmp
          emptyDir: {}
        - name: cache
          emptyDir: {}
        - name: tmp
          emptyDir: {}
        - name: config
          configMap:
            name: fb-admin
            defaultMode: 420
        - name: database
          persistentVolumeClaim:
            claimName: pvc-fb-admin-db
      dnsPolicy: ClusterFirst
  strategy:
    type: Recreate
  revisionHistoryLimit: 3
  progressDeadlineSeconds: 600
---
kind: Service
apiVersion: v1
metadata:
  name: fb-admin
spec:
  ipFamilies:
    - IPv4
  ports:
    - name: http
      protocol: TCP
      port: 8080
      targetPort: 8080
  internalTrafficPolicy: Cluster
  type: ClusterIP
  ipFamilyPolicy: SingleStack
  sessionAffinity: None
  selector:
    app.kubernetes.io/controller: main
    app.kubernetes.io/instance: fb-admin
    app.kubernetes.io/name: fb-admin
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: fb-admin
data:
  config.yaml: |
    server:
      minSearchLength: 3
      disableUpdateCheck: true
      numImageProcessors: 16
      socket: ""
      tlsKey: ""
      tlsCert: ""
      disablePreviews: false
      disablePreviewResize: false
      disableTypeDetectionByHeader: false
      port: 8080
      baseURL: "/"
      logging:
        - levels: "info|warning|error"
          apiLevels: ""
          output: ""
          noColors: false
          json: false
          utc: false
      database: "/home/filebrowser/data/database.db"
      sources:
        - path: "/srv"
          name: "users"
          config:
            denyByDefault: false
            private: false
            disabled: false
            indexingIntervalMinutes: 0
            disableIndexing: true
            conditionals:
              hidden: false
              ignoreHidden: false
              ignoreZeroSizeFolders: false
              rules:
            defaultUserScope: "/"
            defaultEnabled: true
            createUserDir: false
      externalUrl: ""
      internalUrl: "https://fb-***.com"
      cacheDir: "tmp"
      maxArchiveSize: 50
      filesystem:
        createFilePermission: "644"
        createDirectoryPermission: "755"
    auth:
      tokenExpirationHours: 2
      methods:
        proxy:
          enabled: false
          createUser: false
          header: ""
          logoutRedirectUrl: ""
        noauth: false
        password:
          enabled: true
          minLength: 5
          signup: false
          recaptcha:
            host: ""
            key: ""
            secret: ""
          enforcedOtp: false
        oidc:
          enabled: false
          clientId: ""
          clientSecret: ""
          issuerUrl: ""
          scopes: ""
          userIdentifier: ""
          disableVerifyTLS: false
          logoutRedirectUrl: ""
          createUser: false
          adminGroup: ""
          groupsClaim: ""
      # key: "**hidden**"
      # adminUsername: "**hidden**"
      # adminPassword: "**hidden**"
      totpSecret: ""
    frontend:
      name: "PASX core sbx users"
      disableDefaultLinks: true
      disableUsedPercentage: true
      externalLinks:
        - text: "Documentation"
          title: "View documentation"
          url: "https://docs.example.com"
      disableNavButtons: false
      styling:
        customCSS: ""
        lightBackground: "white"
        darkBackground: "#141D24"
        customThemes:
          alternative:
            description: "Reduce rounded corners"
            css: "reduce-rounded-corners.css"
          default:
            description: "The default theme"
            css: ""
      favicon: ""
      description: "Secure file sharing and storage for Acme Corporation"
    userDefaults:
      editorQuickSave: false
      hideSidebarFileActions: true
      disableQuickToggles: true
      disableSearchOptions: true
      stickySidebar: false
      darkMode: true
      locale: "en"
      viewMode: "normal"
      singleClick: false
      showHidden: false
      dateFormat: false
      gallerySize: 3
      themeColor: "var(--blue)"
      quickDownload: false
      disablePreviewExt: ""
      disableViewingExt: ""
      lockPassword: false
      disableSettings: true
      preview:
        disableHideSidebar: false
        highQuality: true
        image: true
        video: false
        motionVideoPreview: false
        office: false
        popup: false
        autoplayMedia: false
        defaultMediaPlayer: false
        folder: false
      permissions:
        api: false
        admin: false
        modify: true
        share: false
        realtime: false
        delete: true
        create: false
        download: true
      loginMethod: "password"
      disableUpdateNotifications: true
      deleteWithoutConfirming: false
      fileLoading:
        maxConcurrentUpload: 10
        uploadChunkSizeMb: 10
        clearAll: false
      disableOfficePreviewExt: ""
      disableOnlyOfficeExt: ".md .txt .pdf"
      customTheme: ""
      showSelectMultiple: false
      debugOffice: false
      defaultLandingPage: ""
    integrations:
      office:
        url: ""
        internalUrl: ""
        secret: ""
        viewOnly: false
      media:
        ffmpegPath: "ffmpeg"
        convert:
          imagePreview:
            heic: false
          videoPreview:
            3g2: true
            3gp: true
            asf: true
            avi: true
            f4v: true
            flv: true
            m2ts: true
            m4v: true
            mkv: true
            mov: true
            mp4: true
            mpeg: true
            mpg: true
            ogv: true
            ts: true
            vob: true
            webm: true
            wmv: true
        debug: false
        extractEmbeddedSubtitles: false

[JZacharie]

On the file system, the authentication is wide open, but the capability to perform chown operations is blocked.

The current configuration is likely:

filesystem:
createFilePermission: "644"
createDirectoryPermission: "755"

It probably needs to be patched to 777 to allow full access, considering that chown is blocked by env variable.

[gtsteffaniak]

Thanks for the additional info and error you see. Let me check what function might be calling chmod -- it's not from my code must be a std library like io.copy doing it. Maybe there's a way to work around this, I'll check

[HadrienKerlero]

@gtsteffaniak I've got the exact same issue.

I've got a "simple" docker setup, but I would like to have my user to have a specific guid, I set it up directly in my compose file as 1000:10000, but when I connect into my container, I can see that it's still using 1000:1000.
That may be the issue here.

[HadrienKerlero]

We may need a change in the Dockerfile

FROM alpine:latest
COPY --from=ffmpeg [ "/ffmpeg", "/ffprobe", "/usr/local/bin/" ]
ENV FILEBROWSER_FFMPEG_PATH="/usr/local/bin/"
ENV FILEBROWSER_DATABASE="/home/filebrowser/data/database.db"
ENV PATH="$PATH:/home/filebrowser"
RUN apk --no-cache add ca-certificates mailcap tzdata curl
RUN adduser -D -s /bin/true -u 1000 filebrowser
USER filebrowser

Maybe add some kind of PUID / PGID env variable support ?

[gtsteffaniak]

I am updating so file permissions are not altered, I see where it was happening.

[gtsteffaniak]

Can anyone confirm if 1.1.1 solves this?

[stalinCCCP415]

Yup, confirmed working on 1.1.1!

[gtsteffaniak]

Great thanks! I'll close this out and the related discussion.

Glad it got resolved quickly without problems