Closed qibao07 closed 2 years ago
It appears that the /tmp/minecraft-console-in
pipe is somehow read-only.
This is most likely a permission problem. But it is a little weird:
root@c01c0cbb8b61:/tmp# ls -alsh minecraft-console-in
0 prw-rw-rw- 1 minecraft minecraft 0 Dec 17 09:56 minecraft-console-in
root@c01c0cbb8b61:/tmp# echo "say test" > minecraft-console-in
bash: minecraft-console-in: Permission denied
root@c01c0cbb8b61:/tmp# chown root:root minecraft-console-in
root@c01c0cbb8b61:/tmp# echo "say test" > minecraft-console-in
# The above works fine.
Oh, I see, the problem is that fs.protected_fifos=1
prevents any user (including root) from writing to a pipe not owned by said user.
==============================================================
protected_fifos:
The intent of this protection is to avoid unintentional writes to an attacker-controlled FIFO, where a program expected to create a regular file.
When set to "0", writing to FIFOs is unrestricted.
When set to "1" don't allow O_CREAT open on FIFOs that we don't own in world writable sticky directories, unless they are owned by the owner of the directory.
When set to "2" it also applies to group writable sticky directories.
This protection is based on the restrictions in Openwall.
If we weren't in a docker container this would be as easy as doing sysctl fs.protected_fifos=0
. However, that is disabled inside the container. I don't know what the best practice is in this case tbh. I'll leave this to someone else.
Can someone test out the image itzg/minecraft-server:fix-1208
? I haven't been able to recreate the issue myself.
Describe the problem
It is normal to run
docker exec mc-server mc-send-to-console tp @e 1 1 1
on windows wsl docker, but arm64 (Raspberry Pi 4B with ubuntu) prompts/usr/local/bin/mc-send-to-console: line 15: /tmp/minecraft-console-in: Permission denied
.Container definition
Container logs