Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker run as user has file permission issues #3303

Open
genekellyjr opened this issue Oct 28, 2024 · 1 comment
Open

Docker run as user has file permission issues #3303

genekellyjr opened this issue Oct 28, 2024 · 1 comment
Labels
kind/bug Something isn't working needs/triage version/1.6.3

Comments

@genekellyjr
Copy link

What happened?

The files and folder in /staging/var/lib/crowdsec/data/:

/staging/var/lib/crowdsec/data/GeoLite2-ASN.mmdb     -rw-------
/staging/var/lib/crowdsec/data/GeoLite2-City.mmdb    -rw-------
/staging/var/lib/crowdsec/data/trace*                drwx------

All need to be readable by the public (and the folder needs to be executable). They're copied into /var/lib/crowdsec/data/ during initialization and a regular user cannot read them, but I see no reason why that is true since you can just download these databases.

A fix would be setting them to:

/staging/var/lib/crowdsec/data/GeoLite2-ASN.mmdb     -rw-r--r--
/staging/var/lib/crowdsec/data/GeoLite2-City.mmdb    -rw-r--r--
/staging/var/lib/crowdsec/data/trace*                drwxr-xr-x

Additionally in /staging/etc/crowdsec/ two files:

/staging/etc/crowdsec/local_api_credentials.yaml     -rw-------
/staging/etc/crowdsec/online_api_credentials.yaml    -rw-------

Need their permissions set to -rw-r--r-- as well since they're not a secret if sourced from staging.

If you are sure their permissions should be -rw------- or drwx------ during operation, add in a chmod 600 ... after the copy call during setup.

With those minor changes crowdsec can be deployed in a user-only, read-only environment with minimal hassle. Thanks for making crowdsec!

What did you expect to happen?

Docker container to be able to be run as a user in read-only mode.

How can we reproduce it (as minimally and precisely as possible)?

Here's an example docker-compose.yml file that bypasses the permission issues, but should not be required. It's set up to work with caddy, as an aside.

networks:
    crowdsec-nw:
services:
    crowdsec-permissions-fix:
        image: docker.io/crowdsecurity/crowdsec:latest
        container_name: crowdsec-permissions-fix
        restart: no
        environment:
          - PUID=0
          - PGID=0
        volumes:
          - crowdsec-crowdsec:/tmpy:rw,noexec,nosuid,nodev,Z
          - crowdsec-crowdsec2:/tmpy2:rw,noexec,nosuid,nodev,Z
        entrypoint: /bin/sh
        command: -c "chown 0:0 -R /tmpy && rm -rf /tmpy/* && cp -R /staging/etc/crowdsec/* /tmpy/ && chown 1337:1337-R /tmpy && (chown 0:0 -R /tmpy2 || true) && rm -rf /tmpy2/* && cp -R /staging/var/lib/crowdsec/data/* /tmpy2/ && chown 1337:1337-R /tmpy2"
        read_only: true
        user: 0:0
        security_opt:
          - no-new-privileges=true
        cap_drop:
          - ALL
        cap_add:
          - CAP_CHOWN
          - CAP_DAC_OVERRIDE # For chowning /staging/var/lib/crowdsec/data/trace after it's been 1337:1337'd

    crowdsec:
        image: docker.io/crowdsecurity/crowdsec:latest
        container_name: crowdsec
        restart: unless-stopped
        environment:
          - PUID=1337
          - PGID=1337
          - COLLECTIONS=crowdsecurity/caddy crowdsecurity/http-cve crowdsecurity/whitelist-good-actors
          - BOUNCER_KEY_CADDY=${CROWDSEC_APIKEY}
        volumes:
          - /home/crowdsec/containers/crowdsec/data:/var/lib/crowdsec/data/:rw,noexec,nosuid,nodev,Z
          - /home/crowdsec/containers/crowdsec/config/acquis.yaml:/etc/crowdsec/acquis.yaml:ro,noexec,nosuid,nodev,Z
          - caddy-logs:/var/log/caddy:ro,noexec,nosuid,nodev,z
          - crowdsec-crowdsec:/staging/etc/crowdsec/:ro,noexec,nosuid,nodev,Z # permissions fix
          - crowdsec-crowdsec2:/staging/var/lib/crowdsec/data/:ro,noexec,nosuid,nodev,Z # permissions fix
        tmpfs:
          - /etc/crowdsec:uid=1337,gid=1337,rw,noexec,nosuid,nodev
          - /tmp:uid=1337,gid=1337,rw,noexec,nosuid,nodev
        read_only: true
        depends_on:
            crowdsec-permissions-fix:
                condition: service_completed_successfully
            # caddy:
            #     condition: service_started
        networks:
          - crowdsec-nw
        user: 1337:1337
        security_opt:
          - no-new-privileges=true
        cap_drop:
          - ALL
volumes:
    crowdsec-crowdsec:
        driver: local
    crowdsec-crowdsec2:
        driver: local
    caddy-logs:
        driver: local

Anything else we need to know?

No response

Crowdsec version

$ cscli version
version: v1.6.3-4851945a
Codename: alphaga
BuildDate: 2024-09-12_09:27:06
GoVersion: 1.22.6
Platform: docker
libre2: C++
User-Agent: crowdsec/v1.6.3-4851945a-docker
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0

OS version

No response

Enabled collections and parsers

No response

Acquisition config

console
$ cat /etc/crowdsec/acquis.yaml
filenames:
  - /var/log/caddy/*.log
labels:
  type: caddy

Config show

$ cscli config show
Global:
   - Configuration Folder   : /etc/crowdsec
   - Data Folder            : /var/lib/crowdsec/data
   - Hub Folder             : /etc/crowdsec/hub
   - Simulation File        : /etc/crowdsec/simulation.yaml
   - Log Folder             : /var/log
   - Log level              : info
   - Log Media              : stdout
Crowdsec:
  - Acquisition File        : /etc/crowdsec/acquis.yaml
  - Parsers routines        : 1
  - Acquisition Folder      : /etc/crowdsec/acquis.d
cscli:
  - Output                  : human
  - Hub Branch              :
API Client:
  - URL                     : http://0.0.0.0:8080/
  - Login                   : localhost
  - Credentials File        : /etc/crowdsec/local_api_credentials.yaml
Local API Server:
  - Listen URL              : 0.0.0.0:8080
  - Listen Socket           :
  - Profile File            : /etc/crowdsec/profiles.yaml

  - Trusted IPs:
      - 127.0.0.1
      - ::1
  - Database:
      - Type                : sqlite
      - Path                : /var/lib/crowdsec/data/crowdsec.db
      - Flush age           : 7d
      - Flush size          : 5000

Prometheus metrics

No response

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

No response
@genekellyjr genekellyjr added the kind/bug Something isn't working label Oct 28, 2024
@github-actions GitHub Actions
Copy link

@genekellyjr: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working needs/triage version/1.6.3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@genekellyjr