Docker usage

[loris-intergalactique]

Hi,

Here is a Dockerfile suggestion, with its corresponding usage. I recommend you link this repo with the Docker Hub to make cewl available in the Docker registry : This way, we could use the docker container without locally building it :)

I saw that you are not at ease with Docker, I'm available in case of questions.

Cheers !

[loris-intergalactique]

I just realized that this configuration would require writing "/root" for each handled input/output file. I'm fixing that

[digininja]

Can you compare your version with this one and comment:

https://github.com/digininja/CeWL/pull/52/files

[digininja]

It does. There is currently a set of warnings produced from one of the gems on 2.7 however this does not affect normal operations and the gem authors have a fix in place, it just hasn't been released yet.

On Tue, 7 Apr 2020 at 09:56, Thomas V. Fischer notifications@github.com wrote:

@tvfischer requested changes on this pull request.

Additional files can be added to the docker ignore file

In .dockerignore https://github.com/digininja/CeWL/pull/61#discussion_r404641491:

+.git +.gitignore

Had a chat with @digininja https://github.com/digininja He suggest that we can also ignore README.md and fab.rb

In Dockerfile https://github.com/digininja/CeWL/pull/61#discussion_r404647059:

@@ -0,0 +1,17 @@ +FROM ruby:2.5-alpine

Any reason why we can't use ruby:alpine to get the latest version of ruby? As far as I understand, CeWL works on the latest version.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/digininja/CeWL/pull/61#pullrequestreview-388909819, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4SWKYWDR2ZY5GBLURV6TRLLTCPANCNFSM4LOO5RRQ .

[digininja]

Another thing I suggested. I don't like the idea of running things through sudo when they don't need it, and cewl definitely doesn't need it.

On Tue, 7 Apr 2020 at 11:01, Thomas V. Fischer notifications@github.com wrote:

@tvfischer commented on this pull request.

In README.md https://github.com/digininja/CeWL/pull/61#discussion_r404687803:

+1. Build the container :

• sudo docker build -t cewl .

• 
  +2. Container usage without interacting with local files :

• sudo docker run -it --rm cewl [OPTIONS] ...

• 
  +3. Container usage with local files as input or output :

• you have to mount the current directory when calling the container

• sudo docker run -it --rm -v "${PWD}:/host" cewl [OPTIONS] ...

I'd prefer the use of sudo to be optional. We should not be running docker images as root. Perhaps remove sudo and put a comment at the beginning or the end like:

Depending on your host configuration you may need to run the docker commands using sudo

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/digininja/CeWL/pull/61#pullrequestreview-388966718, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4SWLZWEPZQOGAHCZUB7DRLL2WFANCNFSM4LOO5RRQ .

[tvfischer]

i've tested the PR plus the more recent comments including using ruby:alpine and adding README.md and fab.rb to the .dockerignore file. It's working ok for me.

[loris-intergalactique]

Hi, Unfortunately, sudo is the best option to safely run docker containers, as @TheLaluka and I explained in the other PR . Here is one of the explanations (The comment) :

Hey, I'm a little late but I think that having a Dockerfile would be cool for CeWL. The commands in general need sudo, because if they didn't it would mean that the user is in the dockergroup. Being in this group allows privilege escalation and gives access to root privileges, because Docker needs root permissions do to its work with cgroups, networks, etc.

• Official info here : https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface
• More info here (on the attack): https://fosterelli.co/privilege-escalation-via-docker.html
• And here : https://askubuntu.com/questions/477551/how-can-i-use-docker-without-sudo

Here is Another documentation on the subject, maybe clearer than the links above. To sum up :

• To avoid using sudo, we have to add the user to the docker group
• Adding an user to the docker group allows him to interact with the Docker socket
• Interactions with the docker socket give full root access to the host system, similarly to giving these sudo permissions :

  user ALL=(ALL)   NOPASSWD: ALL

• Leading to a privilege escalation

[digininja]

I don't know much about this but it seems you have two options, give the user sudo access so they can run docker or put them in the docker group which you says gives them root access.

So both scenarios give the user the ability to run docker, one as root, the other as a normal user through the group.

To me it feels like doing it through groups is a better way to lock things down as that is what they are designed for. Giving general sudo access to run a tool which doesn't need it feels wrong.

[tvfischer]

The escalations you highlighted are still possible under sudo.

If you read the article https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface, it actually does recommend using the docker group and like any good access management protocol to only add trusted users to that group.

My comment doesn't go against a user wanting to use sudo.

[loris-intergalactique]

Actually, yes, you are both right. The only difference is that sudo would need a password if you ever get pwned, and it would slow down a local privesc ; whereas being in the docker group would make the root user pwned too. It's as you want, I agree that doing root actions for using CeWL is overkill

[digininja]

I'd say let's go with running least privileged most of the time then as I'd expect there to be more chance of a local screw up by using sudo to much than a tester getting owned and there not being a ton of other ways on their box to escalate upwards.

On Tue, 7 Apr 2020 at 13:22, LORIS INTERGALACTIQUE notifications@github.com wrote:

Actually, yes, you are both right. The only difference is that sudo would need a password if you ever get pwned, and it would slow down a local privesc ; whereas being in the docker group would make the root user pwned too. It's as you want :)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/digininja/CeWL/pull/61#issuecomment-610354679, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4SWNVRCWS6E5ZOOXPOH3RLMLIVANCNFSM4LOO5RRQ .

[loris-intergalactique]

Ok, as you wish :) I'm on it.

[digininja]

I think that is probably ready to go then.

I'll just reiterate, I will not be supporting this in the future, if anyone has any issues with it, I will direct them at you, whether you chose to support them or not is then up to you. I'll be documenting this as well, just in case.

[loris-intergalactique]

Ok, no problem then ! It would be a pleasure :) I like to Dockerize everything

[digininja]

So I've noticed. Seems like massive overkill to be, but each to their own.

I'll merge all this tomorrow and do a new release.

On Tue, 7 Apr 2020, 20:55 LORIS INTERGALACTIQUE, notifications@github.com wrote:

Ok, no problem then ! It would be a pleasure :) I like to Dockerize everything

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/digininja/CeWL/pull/61#issuecomment-610588666, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4SWPJWQGREOF4HYXEZBDRLOAJNANCNFSM4LOO5RRQ .

[loris-intergalactique]

I understand your point. My idea behind suggesting a Dockerfile is to just stop worrying about dependencies or ruby versions and directly use your software.

For example, I often use diverse kinds of other scripts or libraries and Docker avoids library conflicts. It may also be pure laziness, I admit it 😄