Fix permissions on Docker

Question

Fix permissions on Docker

piranna opened this issue 7 years ago · comments

Jesús Leganés-Combarro commented 7 years ago

When running NodeOS on Docker, no matter what user do you login, it gets UID & GID 0, having root permissions. We need to find and fix this.

Docker AppArmor template
disable filesystems mounting
by default, so it's needed to disable usage of AppArmor at all. A better
alternative would be to use a custom template that mimics the Docker default one
but allowing filesystems mounting. This could be easily crafted with
Bane.

Docker default seccomp profile accept setud,
but for some reason it's not working and instead they are a no-op

Philipp Czarnetzki · Answer 1 · Sun Feb 19 2017 23:31:16 GMT+0800 (China Standard Time)

how do you check its uid and git inside nodeos?

Jesús Leganés-Combarro · Answer 2 · Sun Feb 19 2017 23:43:41 GMT+0800 (China Standard Time)

Wth pstree and looking what processes tree it print, the one for root or the one of nodeos user. Dumb, but effective :-)

Philipp Czarnetzki · Answer 3 · Sun Feb 19 2017 23:46:56 GMT+0800 (China Standard Time)

what does your tree for root and for nodeos print?

Philipp Czarnetzki · Answer 4 · Sun Feb 19 2017 23:47:46 GMT+0800 (China Standard Time)

Im getting this (on docker):

~ > pstree
init
├── exclfs
└─┬ init
  ├─┬ nsh
  │ └── pstree
  └── nodeos-reverse-

But it should be like this (on QEmu)?

init
├── exclfs
└─┬ init
  ├─┬ getty
  │ └─┬ nsh
  │   └── pstree
  └── nodeos-reverse-

kthreadd
├── ksoftirqd/0
├── kworker/0:0
├── kworker/0:0H
├── kworker/u2:0
├── rcu_sched
├── rcu_bh
├── migration/0
├── lru-add-drain
├── cpuhp/0
├── kdevtmpfs
├── netns
├── kworker/u2:1
├── kworker/u2:2
├── oom_reaper
├── writeback
├── kcompactd0
├── crypto
├── bioset
├── kblockd
├── ata_sff
├── md
├── kworker/0:1
├── cfg80211
├── rpciod
├── xprtiod
├── kswapd0
├── vmstat
├── nfsiod
├── acpi_thermal_pm
├── bioset
├── bioset
├── bioset
├── bioset
├── bioset
├── bioset
├── bioset
├── bioset
├── scsi_eh_0
├── scsi_tmf_0
├── scsi_eh_1
├── scsi_tmf_1
├── kworker/u2:3
├── bioset
├── kworker/u2:4
├── bioset
├── kworker/0:2
├── kpsmoused
├── ipv6_addrconf
├── deferwq
├── kworker/0:1H
├── jbd2/sda-8
└── ext4-rsv-conver

Jesús Leganés-Combarro · Answer 5 · Sun Feb 19 2017 23:54:46 GMT+0800 (China Standard Time)

Im getting this (on docker):

This is the tree for root user.

But it should be like this (on QEmu)?

Hum... that's not good, seems on QEmu we are having a regression, because it's too the list of root processes... In both cases they should be

~ > pstree
nsh
└ pstree

Philipp Czarnetzki · Answer 6 · Sun Feb 19 2017 23:57:19 GMT+0800 (China Standard Time)

This seem more like a software error from logon than from docker or qemu

Jesús Leganés-Combarro · Answer 7 · Mon Feb 20 2017 00:01:57 GMT+0800 (China Standard Time)

This seem more like a software error from logon than from docker or qemu

Docker has a problem, but it's true that logon was using setreuid() and changed it to setuid() because the docs says it's more secure. Maybe this could be the reason of the problem with QEmu... Problem here is about how to test it :-/

Philipp Czarnetzki · Answer 8 · Mon Feb 20 2017 00:06:26 GMT+0800 (China Standard Time)

You say that it was using setreuid() but the source on here is using setreuid()
the usersfs pulls the dependencies on build so this could be the problem or am i wrong?

Jesús Leganés-Combarro · Answer 9 · Mon Feb 20 2017 20:27:59 GMT+0800 (China Standard Time)

Yes, no matter what of them you use, they are from the same functions family. It's a problem on/with Docker.