Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run the instance rootless #27

Open
fboaventura opened this issue Sep 20, 2024 · 3 comments
Open

Run the instance rootless #27

fboaventura opened this issue Sep 20, 2024 · 3 comments
Assignees
@fboaventura
Labels
enhancement security
Milestone
v2.5.7

Comments

@fboaventura
Copy link
Owner

The idea is to configure the instance to run as an ordinary user, not as root. This will increase security and adhere to good practices.
@fboaventura fboaventura self-assigned this Sep 20, 2024
@fboaventura
Copy link
Owner Author

I tried adding this snippet after line 45, before the CMD, but I ran into many permission-related issues.

RUN addgroup -g 142 mrtg \
    && adduser -u 142 -G mrtg -G lighttpd -D -h /mrtg -s /bin/bash mrtg\
    && chown -R mrtg:mrtg /etc/mrtg /mrtg \
    && chown -R lighttpd:lighttpd /mrtg/html /mrtg/cgi-bin

USER mrtg

These are some of the errors spotted when running bash -x /usr/sbin/mrtg.sh:

[...]
+ chmod 755 /var/cache/fontconfig
chmod: /var/cache/fontconfig: Operation not permitted
+ rm -rf /var/cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-9 /var/cache/fontconfig/6ba42ae0000f58711b5caaf10d690066-le64.cache-9 /var/cache/fontconfig/CACHEDIR.TAG /var/cache/fontconfig/d9648dcd9a8755275d3d9acd40d29497-le64.cache-9
rm: can't remove '/var/cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-9': Permission denied
rm: can't remove '/var/cache/fontconfig/6ba42ae0000f58711b5caaf10d690066-le64.cache-9': Permission denied
rm: can't remove '/var/cache/fontconfig/CACHEDIR.TAG': Permission denied
rm: can't remove '/var/cache/fontconfig/d9648dcd9a8755275d3d9acd40d29497-le64.cache-9': Permission denied
+ fc-cache -f
[...]
+ chown -R lighttpd:lighttpd /mrtg/html
chown: /mrtg/html/icons/mrtg-m.png: Operation not permitted
chown: /mrtg/html/icons/mrtg-r.png: Operation not permitted
chown: /mrtg/html/icons/mrtg-l.png: Operation not permitted
chown: /mrtg/html/icons: Operation not permitted
chown: /mrtg/html/icons: Operation not permitted
chown: /mrtg/html: Operation not permitted
chown: /mrtg/html: Operation not permitted
+ HTTPID=30
[...]
+ + /usr/sbin/crond wait-f 
-L /proc/self/fd/1 -l debug

/usr/sbin/mrtg.sh: line 160: /usr/sbin/crond: Permission denied
2024-09-20 17:34:01: (../src/server.c.1696) opening pid-file failed: /run/lighttpd.pid: Permission denied
2024-09-20 17:34:01: (../src/server.c.596) unlink failed for: /run/lighttpd.pid: No such file or directory
+ kill 30 31
/usr/sbin/mrtg.sh: line 1: kill: (30) - No such process
/usr/sbin/mrtg.sh: line 1: kill: (31) - No such process

@fboaventura fboaventura added this to the v2.5.7 milestone Sep 20, 2024
@fboaventura
Copy link
Owner Author

I'll add a new Dockerfile and create a new tag for the non-root image to avoid breaking compatibility with running systems due to the needed change in the Lighttpd listening port.

@gstrauss
Copy link

lighttpd can run as a non-root user and inherit already-listening sockets, e.g. configure lighttpd to use systemd socket activation (and configure systemd lighttpd.service to create the privileged sockets), or start lighttpd from inetd/xinetd

Also, to run as a non-root user, the paths used by lighttpd.conf, e.g. /run/lighttpd.pid in lighttpd.conf, must be changed to a location writable by the user. The same is true for log files and access to device files, if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fboaventura fboaventura

Labels
enhancement security
Projects
None yet
Milestone
v2.5.7
Development

No branches or pull requests
2 participants
@fboaventura @gstrauss