[Bug]: entrypoint.sh misses chown for ui-tui/ and gateway/ when HERMES_UID is remapped

[lu0dan]

Bug Description

When HERMES_UID is set to a value different from the build-time 10000 (e.g. 99 to align with the host UID on Unraid/Synology), the entrypoint correctly remaps the hermes user's UID via usermod, but usermod -u only auto-updates ownership of files inside the user's home directory (/opt/data). Files under /opt/hermes/ui-tui/dist/ and /opt/hermes/gateway/ retain their original owner UID 10000, causing:

1. esbuild (via the TUI dashboard) fails to write to dist/ → EACCES
2. Python fails to create pycache directories under gateway/ → permission errors for lazy deps and runtime caching

Steps to Reproduce

1. Pull the image and set HERMES_UID=99 (or any value ≠ 10000):
   docker run -e HERMES_UID=99 -v /some/bind:/home/hermes/.hermes ghcr.io/nousresearch/hermes-agent
2. Observe that hermes user's UID is 99:

docker exec <container> id hermes
# uid=99(hermes) gid=100(users)

3. Check file ownership:

docker exec <container> ls -la /opt/hermes/ui-tui/dist/
# drwxr-xr-x 1 10000 10000 ...   ← still owned by build-time UID!
docker exec <container> ls -la /opt/hermes/gateway/
# drwxr-xr-x 1 10000 10000 ...   ← same

4. Try running the TUI or any Python code that writes to these directories → permission denied.

Expected Behavior

When HERMES_UID != 10000 (indicating a remap), the entrypoint should also chown $INSTALL_DIR/ui-tui/ and $INSTALL_DIR/gateway/ so the remapped user can write to them.

Actual Behavior

In docker/entrypoint.sh, the chown logic (around lines 35-44) only fixes ownership for:

• $HERMES_HOME (the bind-mounted data volume)
• $INSTALL_DIR/.venv (the Python virtual environment)

Affected Component

Tools (terminal, file ops, web, code execution, etc.)

Messaging Platform (if gateway-related)

No response

Debug Report

n/a

Operating System

Unraid 7.3.0

Python Version

3.13.5

Hermes Version

0.14.0

Additional Logs / Traceback (optional)

Root Cause Analysis (optional)

In docker/entrypoint.sh, the chown logic (around lines 35-44) only fixes ownership for:

• $HERMES_HOME (the bind-mounted data volume)
• $INSTALL_DIR/.venv (the Python virtual environment)

But it does not fix ownership for:

• $INSTALL_DIR/ui-tui/dist/ — written by esbuild at runtime
• $INSTALL_DIR/gateway/ — Python pycache directories created at runtime
• $INSTALL_DIR/node_modules/ — though less frequently written

The Dockerfile builds these directories with chown -R hermes:hermes (line 103), but at that point hermes is UID 10000. When the entrypoint later remaps hermes to a different UID, usermod -u only updates files inside the user's home directory (/opt/data), not arbitrary paths like /opt/hermes/*.

Proposed Fix (optional)

In docker/entrypoint.sh, add two more chown lines after line 44:

• chown -R hermes:hermes "$INSTALL_DIR/ui-tui" 2>/dev/null || true
• chown -R hermes:hermes "$INSTALL_DIR/gateway" 2>/dev/null || true

Are you willing to submit a PR for this?

• I'd like to fix this myself and submit a PR

[alt-glitch]

This is covered by existing open PRs:

• fix(docker): repair dashboard runtime perms for remapped uid #23497 — fixes entrypoint chown for remapped UID (ui-tui/node_modules)
• fix(docker/tui): chown ui-tui to hermes + actionable build error (#20500) #20509 — chown ui-tui to hermes + actionable build error

The gateway/ chown gap may need an incremental fix on top of those. Related: #15102 (merged, original HERMES_UID fix).

[cardtest15-coder]

🤖 Auto-Triage

• Label: bug
• Severity: high
• Suggested action: comment
• Summary: entrypoint.sh не выполняет chown для ui-tui/ и gateway/ при изменении HERMES_UID, что вызывает ошибки доступа

[Oruli]

@alt-glitch Trying to trace a bug that completely broke my setup, and I think it may be this.

Can you confirm this issue wasn't present in v2026.4.30? Because I've reverted to that and it works just fine again.

For me it removed my main platform being Matrix, complaining no pip packages were installed at all. Looks like everything stored in the mount has different permissions to the HERMES user 10000 so cannot access literally anything.

Quite the breaking change isn't it, hope this project doesn't turn into Openclaw!

[Oruli]

This issue is still holding me on the April release, @lu0dan still effecting your use case also?

2026.5.7

hermes  | Changing hermes UID to 1000
hermes  | Changing hermes GID to 1000
hermes  | Fixing ownership of /opt/data to hermes (1000)
hermes  | Dropping root privileges

latest

hermes  | /package/admin/s6-overlay/libexec/preinit: info: container permissions: uid=0 (root), euid=0, gid=0 (root), egid=0
hermes  | /package/admin/s6-overlay/libexec/preinit: info: /run permissions: uid=0 (root), gid=0 (root), perms=oxorgxgruxuwur
hermes  | s6-rc: info: service s6rc-oneshot-runner: starting
hermes  | s6-rc: info: service s6rc-oneshot-runner successfully started
hermes  | s6-rc: info: service fix-attrs: starting
hermes  | s6-rc: info: service fix-attrs successfully started
hermes  | s6-rc: info: service legacy-cont-init: starting
hermes  | cont-init: info: running /etc/cont-init.d/01-hermes-setup
hermes  | [stage2] Fixing ownership of /opt/data to hermes (10000)
hermes  | Syncing bundled skills into ~/.hermes/skills/ ...
hermes  | 
hermes  | Done: 0 new, 0 updated, 90 unchanged. 90 total bundled.
hermes  | [stage2] Setup complete; starting user services

[mberymon]

Yeah something broke with the addition of s6 and the changing of the entrypoint. I have the same issue and it's not reading my .env file either. I changed the hermes user id to 1000 in the Dockerfile and built a custom image for my use-case, however still couldn't get around it not reading .env. I rolled back the repo changes to the 0.14 release for now.

[Oruli]

@mberymon this is ridiculous, 100 issues now seemingly related to this root cause and nobody picking up on it??