Run container as a non-privileged user #187
Comments
|
Hi @bittner and thanks for starting this discussion. In short, yes we would welcome contributions in this area. Our Docker package was set up in a way that got it working and hasn't gotten a whole lot of attention since then, so there are definitely things that could be improved. I think your suggestion has a high chance of being merged, and any other ideas you have for improving the Docker implementation. |
|
I've looked at the setup a bit. I feel you make your lives unnecessarily complicated with the choice of Nginx. With Apache you have a single service already, no need for a Supervisord setup. The performance penalty is not really significant, IMO. Is there a reason for this choice? Would you be happy to simplify the setup and switch back to Apache? |
|
Recommended PHP setup for Apache is anyway using fcgi + php-fpm, so whats the difference? |
|
I don't mean to offend anyone, it's just about maintainability. The second most popular Docker image for phpMyAdmin has a far simpler setup (see its Dockerfile). What is the reason you have a much more elaborate setup? Isn't this more difficult to manage? It certainly is more difficult for us to convert to a setup that is compatible with OpenShift. 😕 |
|
Yes it has simpler setup - for example it does not verify signature of downloaded tarball. Our setup also used to be simpler when we used prebuilt PHP instead of building it see #144. Anyway I don't have strong opinion on whether to use nginx or Apache. The originally reported issue is generic to many docker containers and is not at all related to nginx or Apache usage. If you run PHP as root inside of the container (what the Apache container AFAIK does), you don't need any chown, but you loose some security. On the other way this is only approach to allow running whole container as different user. I don't have definite answer, but I certainly don't want to trade off security of most users (who don't care about it) for limited set of users who will run docker under different user. The reason for chown is that unprivileged user in container needs write access for session data or file uploads. |
|
We decided to contribute the necessary changes to the nazarpc/phpmyadmin Docker image. Please, don't be offended. It's really just that it would have taken us much, much longer to get the issue settled with your current setup. Supervisord is reported to be notoriously difficult (if not impossible) to run with a non-privileged user. Thank you for your understanding! Maybe you can figure out how to get your image to run on Kubernetes-powered container platforms looking at the implementation details (and the README) of the project we contributed to. Keep up the good work! 👍 |
|
Reopening as the issue is still there, it has not disappeared by fixing it in different repository ;-). |
|
Just tested the image nazarpc/phpmyadmin and it works perfectly on Openshift. |
|
@Sispheor can someone let us know if it is fixed ? |
I got the following issue with that img on OpenShift:AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 10.130.6.146. Set the 'ServerName' directive globally to suppress this message |
|
@v2saude could you post your configuration ? |
|
After some tricks I managed to make it run: pmatestvol:
image: phpmyadmin/phpmyadmin:latest
container_name: pmatestvol
dns_search: williamdes.local
hostname: pmatest.williamdes.local
domainname: williamdes.local
restart: on-failure:2
mem_limit: 100m
user: 1000:1000
networks:
williamdeslocal:
aliases:
- pmatest.williamdes.local
env_file:
- ./pma.env
sysctls:
- net.ipv4.ip_unprivileged_port_start=0
volumes:
- pmavol:/var/www/html
- ./phpmyadmin-upload-limit.ini:/usr/local/etc/php/conf.d/phpmyadmin-upload-limit.ini
- ./config.secret.inc.php:/etc/phpmyadmin/config.secret.inc.php
- ./config.user.inc.php:/etc/phpmyadmin/config.user.inc.php:ro
ports:
- "600:80" |
williamdes
changed the title
|
And why not use a port other than 80 in Apache, i.e. a port greater than 1024 so that it can run as a non-root user, and then we redirect the port as we are currently doing. |
|
Is there anything new to this? As @chiqui3d mentioned, it would be a good first step to use another port than 80 (greater than 1024) in Apache. |
|
Any update on this? Just want to be able to run the app on a port other than 80 like requested in #340 to allow running on Openshift |
Anyone has ideas on how to solve this without rebuilding the image ? |
|
+1 |
|
Hi @erfantkerfan |
running phpmyadmin/phpmyadmin image with user nobody doesn't work (I'm not mounting any files), version: "3.7"
services:
phpmyadmin_web:
image: phpmyadmin/phpmyadmin:latest
ports:
- "80:80"
extra_hosts:
- mydb:host-gateway
user: nobody
environment:
- PMA_HOST=mydb
- PMA_ABSOLUTE_URI=https://someweburi.com/pma
deploy:
replicas: 1
|
|
hello, is there any update on this topic? |
|
Hello |
|
i lately installed docker rootless as written in https://docs.docker.com/engine/security/rootless/ using some created user named docker. Problem: phpMyAdmin will show And won't connect at login. Cause: The Permissions of /etc/phpmyadmin/config.secret.inc.php are wrong by default in that case: But apache is running as www-data user: This is due to default umask and facls on the docker- user- directory, not allowing "others" to read docker- contents (on the host). The docker-entrypoint.sh which creates the file will inherit the permissions of the host while not specifying them. Solved by: Changing the group of that file in docker-entrypoint.sh works: This is more safe, than changing the permissions while they would also get change on the host i guess. Would it be possible to add that line to the file? |
|
Hello all, I pushed some work to mitigate some of the current rootless issues. The custom INI file and the web files are now owned+group by www-data. I added a test for this 6a68779#diff-56ee0291fa09d6cff1f37f773112f9ad35f117812b37abcd39b90ce057da1143R25 Now to run rootless Debian you need to use: # www-data:www-data in Debian (https://stackoverflow.com/a/69290889/5155484)
user: 33:33@obel1x do you think #432 is still needed ? One item left is the ℹ️ This is not released yet |
|
Hello @williamdes,
If the is any security leak either in php( ,fpm?), in phpmyadmin or in apache, you could easyly change all contents of all those files, giving some attacker an easy way to capture that service completely.
I admit, it is a pitty that docker is not able to manage groups the persistent way that linux does and that umask is not supported until now, but as long as thats the fact, docker implementations need to work around and still be secure. |
I agree that this was not a great idea and indeed there is an escalation risk Now that #432 is merged, do you think we are rootless ready (minimum) ? |
…kip the expose_php assertion The HIDE_PHP_VERSION is not usable with rootless
|
Still get the same error for config file and even though it start apache on 8090, I also get the port 80 error ... I'll do tests on my side and PR if I fix anything |
We need to deploy phpMyAdmin on OpenShift, and this means we cannot perform privileged operations that require
rootpermissions.chownrequires elevated privilegesUnfortunately, this image performs
chownoperations in the entrypoint script, which makes it impossible to run the image with a non-privileged user. You can verify this easily with a localdocker run, e.g.Can we try to fix this, and place a PR? Would you accept such a change?
See also
The text was updated successfully, but these errors were encountered: