[All platforms] /sandbox/.nemoclaw ownership changes from root:root to sandbox:sandbox at runtime

[zNeill]

Description

[Description]
/sandbox/.nemoclaw ownership changes from root:root (set by Dockerfile) to sandbox:sandbox at container runtime. This allows the sandbox user to create arbitrary files in the
.nemoclaw parent directory, bypassing the intended DAC protection layer.

[Environment]
Device: DGX (aarch64)
Kernel: 6.17.0-1008-nvidia
Node.js: v22.22.2
npm: 10.9.7
Docker: Docker Engine 29.1.3
OpenShell CLI: 0.0.24
NemoClaw: 0.1.0
OpenClaw: 2026.3.11 (29dc654)

[Steps to Reproduce]

1. nemoclaw onboard (complete full onboard flow)
2. nemoclaw my-assistant connect
3. ls -ld /sandbox/.nemoclaw

[Expected Result]
drwxr-xr-x root root (755, root-owned)

[Actual Result]
sandbox@my-assistant:~$ ls -ld /sandbox/.nemoclaw
drwxr-xr-x 3 sandbox sandbox 4096 Apr 8 08:41 /sandbox/.nemoclaw

[Root Cause Analysis]
Dockerfile sets chown root:root /sandbox/.nemoclaw — image build is correct.

Image-level verification (image built by docker build during nemoclaw onboard):
docker run --rm --entrypoint "" openshell/sandbox-from:1775637131 ls -ld /sandbox/.nemoclaw
drwxr-xr-x 1 root root 4096 ... /sandbox/.nemoclaw

However, ownership changes to sandbox:sandbox at runtime.

Bug Details

Field	Value
Priority	Unprioritized
Action	Dev - Open - To fix
Disposition	Open issue
Module	Machine Learning - NemoClaw
Keyword	NemoClaw, NEMOCLAW_GH_SYNC_APPROVAL, NemoClaw-SWQA-RelBlckr-Recommended, NemoClaw-SWQA-Test-Blocker

---

[NVB# 6059437]

[NVB#6059437]

[prekshivyas]

Mitigation

Pushed commit 29f44ca on the security/read-only-sandbox-filesystem branch (PR #1121).

Root cause: OpenShell's prepare_filesystem() chowns every read_write path to run_as_user at sandbox start. Since our policy lists /sandbox/.nemoclaw as read_write with run_as_user: sandbox, the root:root 755 set by the Dockerfile is flipped to sandbox:sandbox before the entrypoint runs.

Fix: Changed chmod 755 to chmod 1755 (sticky bit) on /sandbox/.nemoclaw in the Dockerfile. The sticky bit survives the ownership flip and prevents the sandbox user from renaming or deleting root-owned entries like blueprints/. Sandbox-owned subdirs (state/, migration/, snapshots/, staging/, config.json) remain writable as before.

Note: This mitigates the security impact but does not prevent the ownership change itself — that requires an OpenShell-side fix. Filed as NVIDIA/OpenShell#783 with a reference implementation.

[PrachiShevate-nv]

I followed the reproduce steps from nvbug and validated on the latest version for Nemoclaw v0.0.10. It still gives me the same results.

As per my discussion with Prekshi offline, this issue mitigates the impact and it doesnt fix it all because we need openshell to work on it. The blocker keywords are removed from the nvbug since this is not a blocker for release and will keep the bug open until openshell fixes this issue.

Results:
Version: Launch OpenClaw in an OpenShell sandbox. v0.0.10

Permissions in Sandbox:
Actual results:
sandbox@my-assistant:~$ ls -ld /sandbox/.nemoclaw/
drwxr-xr-t 7 sandbox sandbox 4096 Apr 9 18:32 /sandbox/.nemoclaw/

Expected results:
drwxr-xr-x root root (755, root-owned)