search

fboaventura / dckr-mrtg

:whale: Docker MRTG Instance that will configure monitoring from the environment variable.
https://hub.docker.com/r/fboaventura/dckr-mrtg/
MIT License
26 stars 17 forks source link

Run the instance rootless #27

Open fboaventura opened 1 month ago

fboaventura commented 1 month ago

The idea is to configure the instance to run as an ordinary user, not as root. This will increase security and adhere to good practices.

fboaventura commented 1 month ago

I tried adding this snippet after line 45, before the CMD, but I ran into many permission-related issues.

RUN addgroup -g 142 mrtg \
    && adduser -u 142 -G mrtg -G lighttpd -D -h /mrtg -s /bin/bash mrtg\
    && chown -R mrtg:mrtg /etc/mrtg /mrtg \
    && chown -R lighttpd:lighttpd /mrtg/html /mrtg/cgi-bin

USER mrtg

These are some of the errors spotted when running bash -x /usr/sbin/mrtg.sh:

[...]
+ chmod 755 /var/cache/fontconfig
chmod: /var/cache/fontconfig: Operation not permitted
+ rm -rf /var/cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-9 /var/cache/fontconfig/6ba42ae0000f58711b5caaf10d690066-le64.cache-9 /var/cache/fontconfig/CACHEDIR.TAG /var/cache/fontconfig/d9648dcd9a8755275d3d9acd40d29497-le64.cache-9
rm: can't remove '/var/cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-9': Permission denied
rm: can't remove '/var/cache/fontconfig/6ba42ae0000f58711b5caaf10d690066-le64.cache-9': Permission denied
rm: can't remove '/var/cache/fontconfig/CACHEDIR.TAG': Permission denied
rm: can't remove '/var/cache/fontconfig/d9648dcd9a8755275d3d9acd40d29497-le64.cache-9': Permission denied
+ fc-cache -f
[...]
+ chown -R lighttpd:lighttpd /mrtg/html
chown: /mrtg/html/icons/mrtg-m.png: Operation not permitted
chown: /mrtg/html/icons/mrtg-r.png: Operation not permitted
chown: /mrtg/html/icons/mrtg-l.png: Operation not permitted
chown: /mrtg/html/icons: Operation not permitted
chown: /mrtg/html/icons: Operation not permitted
chown: /mrtg/html: Operation not permitted
chown: /mrtg/html: Operation not permitted
+ HTTPID=30
[...]
+ + /usr/sbin/crond wait-f 
-L /proc/self/fd/1 -l debug

/usr/sbin/mrtg.sh: line 160: /usr/sbin/crond: Permission denied
2024-09-20 17:34:01: (../src/server.c.1696) opening pid-file failed: /run/lighttpd.pid: Permission denied
2024-09-20 17:34:01: (../src/server.c.596) unlink failed for: /run/lighttpd.pid: No such file or directory
+ kill 30 31
/usr/sbin/mrtg.sh: line 1: kill: (30) - No such process
/usr/sbin/mrtg.sh: line 1: kill: (31) - No such process
fboaventura commented 1 month ago

I'll add a new Dockerfile and create a new tag for the non-root image to avoid breaking compatibility with running systems due to the needed change in the Lighttpd listening port.

gstrauss commented 1 month ago

lighttpd can run as a non-root user and inherit already-listening sockets, e.g. configure lighttpd to use systemd socket activation (and configure systemd lighttpd.service to create the privileged sockets), or start lighttpd from inetd/xinetd

Also, to run as a non-root user, the paths used by lighttpd.conf, e.g. /run/lighttpd.pid in lighttpd.conf, must be changed to a location writable by the user. The same is true for log files and access to device files, if needed.