search

cloudposse / bastion

🔒Secure Bastion implemented as Docker Container running Alpine Linux with Google Authenticator & DUO MFA support
https://cloudposse.com/accelerate
Apache License 2.0
643 stars 112 forks source link

Bind-Mount Recommendations Result In Error #17

Closed jonmchan closed 5 years ago

jonmchan commented 6 years ago

Bind-mount /etc/passwd, /etc/shadow and /etc/group into the container as read-only

When attempting to do this, the docker container fails to startup. The error in the logs show as:

- Enabling SSH Audit Logs
chsh: failure while writing changes to /etc/passwd

This is because chsh is run on startup - https://github.com/cloudposse/bastion/blob/8411230e466decf3a069fa3a5185c94bd5028d75/rootfs/etc/init.d/ssh-audit#L13.

The code should be updated to allow passwd, shadow, and group to not be modified during normal usage or the recommendation to keep those files mounted as read-only should be removed.

osterman commented 6 years ago

Yes, that's a good point.

osterman commented 5 years ago

@alebabai add a check to see if password file is writable. We should probably emit a warning that the feature will be disabled.

osterman commented 5 years ago

This has been fixed in https://github.com/cloudposse/bastion/releases/tag/0.1.4