[NemoClaw][All platforms] /sandbox/.nemoclaw ownership changes from root:root to sandbox:sandbox at runtime

[zNeill]

Description

[Description]
/sandbox/.nemoclaw ownership changes from root:root (set by Dockerfile) to sandbox:sandbox at container runtime. This allows the sandbox user to create arbitrary files in the
.nemoclaw parent directory, bypassing the intended DAC protection layer.

[Environment]
Device: DGX (aarch64)
Kernel: 6.17.0-1008-nvidia
Node.js: v22.22.2
npm: 10.9.7
Docker: Docker Engine 29.1.3
OpenShell CLI: 0.0.24
NemoClaw: 0.1.0
OpenClaw: 2026.3.11 (29dc654)

[Steps to Reproduce]

1. nemoclaw onboard (complete full onboard flow)
2. nemoclaw my-assistant connect
3. ls -ld /sandbox/.nemoclaw

[Expected Result]
drwxr-xr-x root root (755, root-owned)

[Actual Result]
sandbox@my-assistant:~$ ls -ld /sandbox/.nemoclaw
drwxr-xr-x 3 sandbox sandbox 4096 Apr 8 08:41 /sandbox/.nemoclaw

[Root Cause Analysis]
Dockerfile sets chown root:root /sandbox/.nemoclaw — image build is correct.

Image-level verification (image built by docker build during nemoclaw onboard):
docker run --rm --entrypoint "" openshell/sandbox-from:1775637131 ls -ld /sandbox/.nemoclaw
drwxr-xr-x 1 root root 4096 ... /sandbox/.nemoclaw

However, ownership changes to sandbox:sandbox at runtime.

Bug Details

Field	Value
Priority	Unprioritized
Action	Dev - Open - To fix
Disposition	Open issue
Module	Machine Learning - NemoClaw
Keyword	NemoClaw, NEMOCLAW_GH_SYNC_APPROVAL, NemoClaw-SWQA-RelBlckr-Recommended, NemoClaw-SWQA-Test-Blocker

---

[NVB# 6059437]

[prekshivyas]

Mitigation

Pushed commit 29f44ca on the security/read-only-sandbox-filesystem branch (PR #1121).

Root cause: OpenShell's prepare_filesystem() chowns every read_write path to run_as_user at sandbox start. Since our policy lists /sandbox/.nemoclaw as read_write with run_as_user: sandbox, the root:root 755 set by the Dockerfile is flipped to sandbox:sandbox before the entrypoint runs.

Fix: Changed chmod 755 to chmod 1755 (sticky bit) on /sandbox/.nemoclaw in the Dockerfile. The sticky bit survives the ownership flip and prevents the sandbox user from renaming or deleting root-owned entries like blueprints/. Sandbox-owned subdirs (state/, migration/, snapshots/, staging/, config.json) remain writable as before.

Note: This mitigates the security impact but does not prevent the ownership change itself — that requires an OpenShell-side fix. Filed as NVIDIA/OpenShell#783 with a reference implementation.