search

bitwarden / self-host

Bitwarden's self-hosted release repository
GNU General Public License v3.0
307 stars 54 forks source link

Run Bitwarden-selfhosted as non-root container on the read-only filesystem #247

Open shaman007 opened 2 months ago

shaman007 commented 2 months ago

I am running a Bitwarden instance in Kubernetes and want to harden it, because to it contains vital secrets. However, if I try as a start to set:

    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000

I am getting several errors from the entrypoint.sh:

addgroup: Only root may add a user or group to the system.
adduser: Only root may add a user or group to the system.
cp: cannot create regular file '/app/Identity/identity.pfx': Permission denied
cp: cannot create regular file '/app/Sso/identity.pfx': Permission denied

and

sed: couldn't open temporary file /etc/supervisor.d/sedF4AEIa: Permission denied
sed: couldn't open temporary file /etc/supervisor.d/sedMdBMD6: Permission denied
sed: couldn't open temporary file /etc/supervisor.d/sedQ53QO5: Permission denied
sed: couldn't open temporary file /etc/supervisor.d/sedY6JVZS: Permission denied
sed: couldn't open temporary file /etc/supervisor.d/sedTZbdo9: Permission denied
sed: couldn't open temporary file /etc/supervisor.d/sedaiDeBm: Permission denied
sed: couldn't open temporary file /etc/supervisor.d/sedihWpDk: Permission denied
sed: couldn't open temporary file /etc/supervisor.d/sedBm0zaG: Permission denied
chown: changing ownership of '/app/Web/554.48a8997231bd1194fd5f.js': Operation not permitted
chown: changing ownership of '/app/Web/111.a0a028d157496bf5d1fb.js.map': Operation not permitted
chown: changing ownership of '/app/Web/314.5a6aa5e9fd3a1dbb36ce.js.map': Operation not permitted
chown: changing ownership of '/app/Web/encrypt-worker.c5aeb8504a3eb9845db2.js': Operation not permitted
chown: changing ownership of '/app/Web/scripts/qrious.min.js': Operation not permitted
[ ... and so on ... ]

This happens due to the entrypoint.sh:

Useradd, groupadd could be easily moved in the Dockerfile, as well as the permissions/group ownership. Seems like "Enable/Disable services" also should be rather in the Dockerfile. /etc/bitwarden that is altered by the entrypoint.sh should be a persistent volume, since we want to keep instance identity on restarts, it's not a problem.

shaman007 commented 2 months ago

I did a trivial PR for this issue.

Neonwarden commented 2 months ago

Hi there,

This issue has been escalated for further investigation. If you have more information that can help us, please add it below.

Thanks!

yggdrasil-tynor commented 2 months ago

Much needed feature to get this working on Azure AppService / Container Apps!