Open tobhv opened 8 months ago
- a post request to exec is allowed!(bad)
That is because there is presently no difference between READ/WRITE, only enable/disable of an endpoint. While most exec operation belong to the /exec
endpoint, this one belongs to /containers
at /containers/{id}/exec
thus the ENV is CONTAINERS=1
and it is a POST
request thus POST=1
allows it:
environment:
POST: 1
CONTAINERS: 1
There is a PR to run lua script to separate the read vs write permissions: https://github.com/Tecnativa/docker-socket-proxy/pull/126
If that lands you would have CONTAINERS_READ=1
and CONTAINERS_WRITE=0
Likewise due to the referenced rule with POST=1
check, while the name is poorly chosen, it allows any other request like DELETE
to be permitted. Since you have CONTAINERS=1
that is granted. With that referenced PR CONTAINERS_WRITE=1
will enable both POST
and DELETE
requests, there is no further granularity there, although that should be sufficient for most needs.
Hello,
just got started using this container to secure watchtower. but i see strange behavior when i send requests to the api in the below setup:
this lets watchtower do its job nicely and the socket-proxy logs show clearly what requests have been done.
however, there is more: expected behavior:
actual behavior:
environment: