cron and redis fixes for running with non-root UID #1469
Conversation
Adding the cron command to /var/spool/cron/crontabs/www-data assumes that cron, and by extension the nextcloud app, is run as 'www-data'. 'crond' cannot be used with: exec "echo \"*/%%CRONTAB_INT%% * * * * php -f /var/www/html/cron.php\" | crontab - && crond -f -l 0 -L /dev/stdout" because that assumes the uid used matches a entry in '/etc/passwd'. Signed-off-by: Roland Vet <[email protected]>
Signed-off-by: Roland Vet <[email protected]>
If "REDIS_HOST=redis" is used in combination with a custom uid, the container attempts to write to redis-session.ini which fails due to lack of permission. Signed-off-by: Roland Vet <[email protected]>
Signed-off-by: Roland Vet <[email protected]>
|
I don't think that making the PHP config world writeable is a good practice. |
In general I agree. Any alternative suggestion is welcome. |
|
If the goal was to make the container run as *a* non-root UID (www-data:33)
it wouldn't be too bad, just chown the required files. That likely wouldn't
meet the goal of some, but it could be an improvement.
I solved this in k8s by just mounting a templates redis config as a
configmap, and not using that particular redis_host variable.
…On Mon, Nov 28, 2022, 12:41 Roland Vet ***@***.***> wrote:
I don't think that making the PHP config world writeable is a good
practice.
In general I agree. Any alternative suggestion is welcome.
—
Reply to this email directly, view it on GitHub
<#1469 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACON7OOIWPYQYDEZXCSNZ2LWKTVF3ANCNFSM42OTEH7A>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Problem is that at the time docker runs through this part of the entrypoint: https://github.com/nextcloud/docker/blob/master/docker-entrypoint.sh#L75-L100 we've dropped to a uid/gid, (L53-73) but the Dockerfile does not know what that uid/gid it will be. Making it writable by all is a generic fix, but not great security wise.
I don't know how you would apply that here. PR fixes #763 |
This is what always works. Just mount your own |
|
Yeah, that is why I commented that if the UID was known ahead of time
(www-data) this would be easier. Kubernetes makes it really easy to store a
config file with the rest of your manifests and just patch in whatever you
want.
The problem is that most security policies that require containers run as
root actually require the container to start as non-root. There are often
admission hooks or runtime checks that will entirely prevent workloads from
running, starting as root and dropping permissions will not satisfy them.
Changing the perms to www-data (33) would allow the container to run fully
as non-root provided that that uid is used. It would still require root if
a different uid was needed but this would still be an improvement in some
cases.
…On Tue, Dec 6, 2022 at 11:54 AM J0WI ***@***.***> wrote:
I solved this in k8s by just mounting a templates redis config as a
configmap, and not using that particular redis_host variable.
This is what always works. Just mount your own zzz_myconfig.ini to
overwrite any config.
—
Reply to this email directly, view it on GitHub
<#1469 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACON7OOBF7CBMM7A45OP5QDWL5VVLANCNFSM42OTEH7A>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
When not running as 'www-data', the redis and cron functionality (as shown in examples such as ".examples/docker-compose/insecure/mariadb-cron-redis/fpm/docker-compose.yml") break. These commits fix these issues.
Partial fix for #359
Possible supplement to #1278.