search

ich777 / docker-steamcmd-server

Simple Dockerfile that installs steamcmd and a selected game server
119 stars 95 forks source link

fix permission on run container as root #23

Closed VergilGao closed 2 years ago

VergilGao commented 2 years ago

Unlike unraid, some NAS systems may choose to attribute all file permissions to the root user(such as https://www.zspace.cn/) When the user uses UID = 0 gid = 0, he will be plagued by permission issues Use usermod -o groupmod -o to fix this problem We can see the image of LinuxServer.io choose the same solution https://github.com/linuxServer/docker-baseImage-ubuntu/blob/7de15ca8f48828d61498DEBD80C51F491C/Cont-init.d/10-addUser#L6

ich777 commented 2 years ago

Hi, @VergilGao first of all, thank you for the PR and going through my start script. :)

I really don't know if I will merge this because in general I'm strictly against running containers as root when there is no need to whatsoever because this introduces various different security risks that I'm not a huge fan of especially for game servers. My issue with that is that more and more NAS systems switch over to Docker without root because root escalation is basically a bad thing and I see more and more people (which are apparently not aware of the risks) even running their container with privileged rights when something isn't working and that is basically the worst thing you can do.

I have now also a pretty solid user base that runs my containers on non Unraid systems like Arch, Debian, Ubuntu and Synology NAS systems too.

With the change to the start script you are allowing to change the UIDs or GIDs to be non unique or am I wrong?

Is this NAS system that you've linked running everything as root?

VergilGao commented 2 years ago

With the change to the start script you are allowing to change the UIDs or GIDs to be non unique or am I wrong?

This change will allow users to set environment variables to UID=0 GID=0 when starting docker Before this, if the user set UID=0 GID=0 start.sh will prompt

usermod: UID '0' already exists
groupmod: GID '0' already exists

but it will not exit. The code below will work and set all data files belongs to root user. 

chown -R ${UID}:${GID} ${DATA_DIR}

this looks strange, if you dont want ppl run as root, another solution is to forbid the env such as UID=0 GID=0

My issue with that is that more and more NAS systems switch over to Docker without root because root escalation is basically a bad thing and I see more and more people (which are apparently not aware of the risks) even running their container with privileged rights when something isn't working and that is basically the worst thing you can do.

i agree with your opinion, user shouldn't run anything as root, especially those users who don't know linux at all.

Is this NAS system that you've linked running everything as root?

yes, its very ridiculous.

ich777 commented 2 years ago

but it will not exit. The code below will work and set all data files belongs to root user.

Are you really sure about that it not continues? I've now tried it on Unraid with the V-Rising branch and it just works fine, except for the other errors:

---Ensuring UID: 0 matches user---
usermod: UID '0' already exists
---Ensuring GID: 0 matches user---
---Setting umask to 000---
---Checking for optional scripts---
---No optional script found, continuing---
---Taking ownership of data...---
---Starting...---
SteamCMD not found!
/serverdata/steamcmd/steamcmd_linux.tar.gz: Permission denied
tar (child): /serverdata/steamcmd/steamcmd_linux.tar.gz: Cannot open: No such file or directory
tar (child): Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error is not recoverable: exiting now
rm: cannot remove '/serverdata/steamcmd/steamcmd_linux.tar.gz': No such file or directory
---Update SteamCMD---
/opt/scripts/start-server.sh: line 12: /serverdata/steamcmd/steamcmd.sh: No such file or directory
---Update Server---
/opt/scripts/start-server.sh: line 32: /serverdata/steamcmd/steamcmd.sh: No such file or directory
---Checking if WINE workdirectory is present---
---WINE workdirectory not found, creating please wait...---
mkdir: cannot create directory β€˜/serverdata/serverfiles/WINE64’: Permission denied
---Checking if WINE is properly installed---
---Setting up WINE---
mkdir: cannot create directory β€˜/serverdata/serverfiles/save-data’: Permission denied
cp: cannot stat '/serverdata/serverfiles/VRisingServer_Data/StreamingAssets/Settings': No such file or directory
---Checking for old display lock files---
chmod: changing permissions of '/serverdata': Operation not permitted
chmod: changing permissions of '/serverdata/steamcmd': Operation not permitted
chmod: changing permissions of '/serverdata/serverfiles': Operation not permitted
---Server ready---
---Start Server---
tail: cannot open '/serverdata/serverfiles/logs/VRisingServer.log' for reading: No such file or directory
tail: no files remaining

It looks like to me something really funky is going on with these NAS Systems...

this looks strange, if you dont want ppl run as root, another solution is to forbid the env such as UID=0 GID=0

But then this fix won't work anyways, but I think nobody (except the users with those NAS Systems) will use my containers like that... Best practice should be anyways to not run any container as root that is reachable from the outside world.

yes, its very ridiculous.

But than I have to say I don't want to support such NAS systems this is as you said ridiculous... Do you think I can get one of those system over here in Europe to take a closer look at this? How much is such a system? Google translate does not really a great job on this site... πŸ˜†

VergilGao commented 2 years ago

Do you think I can get one of those system over here in Europe to take a closer look at this?

it couldn't get in Europe. but this page show the official documentation say "set PUID=0 GUID=0" https://www.zspace.cn/help/?cid=1045&articleId=100122

Are you really sure about that it not continues? I've now tried it on Unraid with the V-Rising branch and it just works fine, except for the other errors:

ok, it couldnt work. but it seems strange, if you dont want people run as root. just tell them:

if [ ${UID} eq 0 ] || [ ${GID} eq 0 ]; then
    dont support root user!
    exit 1
fi

But than I have to say I don't want to support such NAS systems this is as you said ridiculous...

I agree with your opinion In fact, this pr is a bit sloppy, and the cause is a complaint from a user of my docker program, who is using this ridiculous nas system. that program. The function of that program is to organize adult films to provide to jellyfin. so ...

ich777 commented 2 years ago

but this page show the official documentation say "set PUID=0 GUID=0"

TBH I wouldn't trust this NAS in any way if it says to use the root UID and GID...

ok, it couldnt work. but it seems strange, if you dont want people run as root. just tell them:

I completely agree but I hope you understand that this would mean that all my containers need to be changed and since this is a very niche issue with only that one NAS system I would not like to change them. BTW I think this NAS has some other issues to because got it running on Unraid kind of by passing over --user and --group to the docker run command and also changing the user to root, but this is a really uncommon way of running the container at all.

So I think it is really a issue with this kind of NAS.

The function of that program is to organize adult films to provide to jellyfin.

Everyone has it's own use cases... πŸ˜†

VergilGao commented 2 years ago

Everyone has it's own use cases... πŸ˜†

This is the charm of the Internet