search

itzg / docker-minecraft-server

Docker image that provides a Minecraft Server that will automatically download selected version at startup
https://docker-minecraft-server.readthedocs.io/
Apache License 2.0
9.3k stars 1.53k forks source link

Run 'docker exec mc-server mc-send-to-console' prompts 'Permission denied' on arm64 #1208

Closed qibao07 closed 2 years ago

qibao07 commented 2 years ago

Describe the problem

It is normal to run docker exec mc-server mc-send-to-console tp @e 1 1 1 on windows wsl docker, but arm64 (Raspberry Pi 4B with ubuntu) prompts /usr/local/bin/mc-send-to-console: line 15: /tmp/minecraft-console-in: Permission denied.

Container definition

SERVER_NAME=mc-server
docker run -d -it \
  --name $SERVER_NAME \
  -v $(pwd)/data:/data \
  -e TYPE=FORGE \
  -e VERSION=1.12.2 \
  -e FORGE_INSTALLER=forge-1.12.2-14.23.5.2855-installer.jar \
  -e EULA=TRUE \
  -e ONLINE_MODE=FALSE \
  -p 57231:25565 \
  itzg/minecraft-server:java8-multiarch

Container logs

ubuntu@ubuntu ~/T/mc-server (master) [1]> ./cmd.sh tp @e 1 1 1
++ dirname ./cmd.sh
+ cd .
+ . .setting.sh
++ SERVER_NAME=mc-server
++ FRPC_NAME=mc-frpc
+ cmd tp @e 1 1 1
+ docker exec mc-server mc-send-to-console tp @e 1 1 1
/usr/local/bin/mc-send-to-console: line 15: /tmp/minecraft-console-in: Permission denied
StoneLabs commented 2 years ago

It appears that the /tmp/minecraft-console-in pipe is somehow read-only.

This is most likely a permission problem. But it is a little weird:

root@c01c0cbb8b61:/tmp# ls -alsh minecraft-console-in 
0 prw-rw-rw- 1 minecraft minecraft 0 Dec 17 09:56 minecraft-console-in

root@c01c0cbb8b61:/tmp# echo "say test" > minecraft-console-in 
bash: minecraft-console-in: Permission denied

root@c01c0cbb8b61:/tmp# chown root:root minecraft-console-in 
root@c01c0cbb8b61:/tmp# echo "say test" > minecraft-console-in 
# The above works fine.
StoneLabs commented 2 years ago

Oh, I see, the problem is that fs.protected_fifos=1 prevents any user (including root) from writing to a pipe not owned by said user.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=30aba6656f61ed44cba445a3c0d38b296fa9e8f5

==============================================================

protected_fifos:

The intent of this protection is to avoid unintentional writes to an attacker-controlled FIFO, where a program expected to create a regular file.

When set to "0", writing to FIFOs is unrestricted.

When set to "1" don't allow O_CREAT open on FIFOs that we don't own in world writable sticky directories, unless they are owned by the owner of the directory.

When set to "2" it also applies to group writable sticky directories.

This protection is based on the restrictions in Openwall.

If we weren't in a docker container this would be as easy as doing sysctl fs.protected_fifos=0. However, that is disabled inside the container. I don't know what the best practice is in this case tbh. I'll leave this to someone else.

itzg commented 2 years ago

Can someone test out the image itzg/minecraft-server:fix-1208? I haven't been able to recreate the issue myself.