Closed jonasgeiler closed 3 months ago
Please note this response was created using generative AI leveraging previously available information from the repository. This information may be helpful however it is our strong recommendation that you carefully consider the information before blindly applying it.
The issue you're encountering is due to the file permission settings of the /run/secrets/
directory, which is owned by root. When you set the PUID
and PGID
environment variables to non-root values, the Authelia container cannot access these files.
To resolve this, you can indeed modify the entrypoint.sh
script to change the ownership of the /run/secrets/
directory to the specified PUID
and PGID
. Here is the suggested line to add to the entrypoint.sh
file:
chown -R ${PUID}:${PGID} /run/secrets
This will ensure that the Authelia process running under the specified PUID
and PGID
can read the secret files.
Alternatively, you can also set the permissions of the secret files to be readable by the group or others, but this is less secure and not recommended.
For more detailed information, you can refer to the Authelia documentation on Docker deployment and permissions:
This comment was generated by Glime.
Use docker to specify the correct permissions, this is working as intended as the files mounted here are controlled by docker entirely. As this is the intended method for docker, if this is not working there is an issue on their end. Naturally we also have always recommended using the user parameters not the PUID/PGID env vars. Alternatively just mount them as a directory considering there is no benefit to mounting them in this way without swarm.
https://docs.docker.com/compose/compose-file/05-services/#long-syntax-4
@james-d-elliott wrote: Use docker to specify the correct permissions, this is working as intended as the files mounted here are controlled by docker entirely. As this is the intended method for docker, if this is not working there is an issue on their end. Naturally we also have always recommended using the user parameters not the PUID/PGID env vars. Alternatively just mount them as a directory considering there is no benefit to mounting them in this way without swarm.
https://docs.docker.com/compose/compose-file/05-services/#long-syntax-4
I've read the documentation you linked and tried it out shortly after submitting this issue. Maybe you have read the issue before I edited with the new information:
The uid
and gid
fields are seemingly not supported outside of Docker Swarm. I get the following warnings from Docker compose:
WARN[0000] secrets `uid`, `gid` and `mode` are not supported, they will be ignored
WARN[0000] secrets `uid`, `gid` and `mode` are not supported, they will be ignored
WARN[0000] secrets `uid`, `gid` and `mode` are not supported, they will be ignored
The secrets attribute for the service in the Docker compose file looks something like this:
secrets:
- source: authelia_jwt_secret
uid: 1000
gid: 1000
- source: authelia_session_secret
uid: 1000
gid: 1000
- source: authelia_storage_encryption_key
uid: 1000
gid: 1000
And it's not working... Maybe I'll ask the Docker guys if they can add proper support for this? The problem COULD be solved by Docker itself, however IF it's possible and they decide to add it and WHEN they will do it I don't know... For this reason a temporary fix on your side would be very appreciated!
I am currently trying to get setting the user
attribute for the service to work (instead of using PUID
/PGID
) but for some reason I get the same error... Will see if I can fix it.
Apologies but we're not crossing this barrier of responsibility as clawing back these bad features is almost impossible without people complaining. Even if we wanted to it's technically impossible as these files are part of a read-only file system. Feel free to try to chown any file mounted in /run/secrets for yourself to see what I mean.
The correct fix must come from the docker side as it's part of their domain logic. Seems like a pretty asinine for them to have the user
option and secrets
option when the user has only the path of using an privilege escalation vulnerability to gain access to the secrets since it never has access under uid/gid 0.
As far as how to work around it you can mount the files as part of a directory owned and only readable by the correct user id. You can choose an arbitrary number for this with the chown 1234:0 /path/to/file && chmod 600 /path/to/file
command.
This has the same benefits as mounting them as secrets. The secrets syntax is almost exclusively at the benefit of docker swarm where the files may not be local.
@james-d-elliott I actually found a Docker issue mentioning this problem, and below it there was this comment: https://github.com/docker/compose/issues/9648#issuecomment-1824340917 So it looks like they will not fix it for now. Really sucks but what shall you do...
I guess I'll look for a workaround using a custom image or something. Thanks anyways!
Btw setting the user
attribute for the service in the Docker compose file also didn't work, since the secrets are still mounted as root
, even if authelia is running under a different user...
As I already mentioned there is no way around it. Docker forcibly mounts the /run/secrets
as read-only. You can't change the permissions of these files. It seems by their implementation the only way to handle this is exactly as I described, mount file as a volume with the correct permissions.
As I already mentioned there is no way around it. Docker forcibly mounts the
/run/secrets
as read-only. You can't change the permissions of these files. It seems by their implementation the only way to handle this is exactly as I described, mount file as a volume with the correct permissions.
I admit I misread the part where you said it was "technically impossible", but it's still a good idea to link to the Docker issue for other people in the future in case someone stumbles across this issue. Thanks again!
Yeah I agree. not opposed to linking their issue. No worries at all, feel free to open a discussion if you want examples of the proposed solution. I find it fascinating that setting the user no longer sets the secret permissions, I know for certain it did in the past.
It's also probably relevant to link the following where it actually quite convincingly suggests secrets are only intended for swarm mode, quite literally seems like a docker compose hack to work around this limitation as it's not a feature of standard docker (first result for "docker secrets"): https://docs.docker.com/engine/swarm/secrets/
For posterity:
Hold on a second 😅
I just noticed that using secrets read from environment variables work! They are defined like this:
secrets:
jwt_secret:
environment: JWT_SECRET
After mounting them in the container, Authelia could read them normally.
The reason is that they have a 0444
permission inside the container, set by Docker by default. The file that I used previously had 0400
permissions, which were also used inside of the container, so Authelia could not read the secret. This means that everything is actually working fine and all I had to do is set 0444
permissions on the source secret file on the host... I feel stupid haha
I suspect it's related to the way that docker compose handles that in standalone containers. Since secrets are not actually available for standalone containers it's just bind mounting them, so they should retain the permissions, i.e. owner, group, and mod. Would explain why it wasn't working now and I knew the user
config worked in the past.
Version
v4.38.9
Deployment Method
Docker
Reverse Proxy
Traefik
Reverse Proxy Version
3.0.3
Description
When I set the
PUID
andPGID
environment variables to something other than0
for the Authelia Docker container, I get afile permission error
when Authelia tries to read secrets from the secret files in/run/secrets/
. The/run/secrets/
folder is owned by root, while Authelia is running under whatever I setPUID
/PGID
to, so it can't read those files.A possible fix could be adding the following line to the
entrypoint.sh
file:I should also note that while you can set
uid
andgid
when specifying the secrets to mount in the Docker compose file, I get the following warnings from Docker compose:So it seems those are only supported in Docker Swarm.
Reproduction
Use a Docker compose file like the following (taken from docs):
Expectations
Authelia can read secrets from the Docker secrets files.
Configuration (Authelia)
Set in Docker compose as environment variables:
Set in the
configuration.yaml
:Build Information
Logs (Authelia)
Logs (Proxy / Application)
Documentation
No response
Pre-Submission Checklist
[X] I agree to follow the Code of Conduct
[X] This is a bug report and not a support request
[X] I have read the security policy and this bug report is not a security issue or security related issue
[X] I have either included the complete configuration file or I am sure it's unrelated to the configuration
[X] I have either included the complete debug / trace logs or the output of the build-info command if the logs are not relevant
[X] I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the Troubleshooting Sanitization reference guide
[X] I have checked for related proxy or application logs and included them if available
[X] I have checked for related issues and checked the documentation