search

linuxserver / docker-letsencrypt

DEPRECATED: Please use linuxserver/swag instead
GNU General Public License v3.0
722 stars 172 forks source link

dns-conf ini World-readable by Default #413

Closed lanerussell closed 4 years ago

lanerussell commented 4 years ago

Expected Behavior

ini files in dns-conf should default to permissions of 600 to limit what users can read these files containing API keys, registrar/DNS account credentials, etc.

Current Behavior

Default permissions when building the container are 644:

user@server:/opt/docker/nginx_reverseproxy/dns-conf$ ll
total 80
drwxr-xr-x  2 docker_runner docker_runner 4096 Feb  1 15:49 ./
drwxr-xr-x 12 docker_runner docker_runner 4096 Feb 24 09:28 ../
-rw-r--r--  1 docker_runner docker_runner  264 Oct 10 15:54 cloudflare.ini
-rw-r--r--  1 docker_runner docker_runner  247 Oct 10 15:54 cloudxns.ini
-rw-r--r--  1 docker_runner docker_runner  331 Feb  1 15:49 cpanel.ini
-rw-r--r--  1 docker_runner docker_runner  245 Oct 10 15:54 digitalocean.ini
-rw-r--r--  1 docker_runner docker_runner  201 Oct 10 15:54 dnsimple.ini
-rw-r--r--  1 docker_runner docker_runner  283 Oct 10 15:54 dnsmadeeasy.ini
-rw-r--r--  1 docker_runner docker_runner  292 Jan 16 14:13 domeneshop.ini
-rw-r--r--  1 docker_runner docker_runner  135 Jan 11 09:29 gandi.ini
-rw-r--r--  1 docker_runner docker_runner  178 Oct 10 15:54 google.ini
-rw-r--r--  1 docker_runner docker_runner  208 Dec 12 14:57 google.json
-rw-r--r--  1 docker_runner docker_runner  344 Oct 10 15:54 inwx.ini
-rw-r--r--  1 docker_runner docker_runner  226 Dec  3 11:17 linode.ini
-rw-r--r--  1 docker_runner docker_runner  232 Oct 10 15:54 luadns.ini
-rw-r--r--  1 docker_runner docker_runner  182 Oct 10 15:54 nsone.ini
-rw-r--r--  1 docker_runner docker_runner  341 Oct 10 15:54 ovh.ini
-rw-r--r--  1 docker_runner docker_runner  429 Oct 10 15:54 rfc2136.ini
-rw-r--r--  1 docker_runner docker_runner  258 Oct 10 15:54 route53.ini
-rw-r--r--  1 docker_runner docker_runner  402 Dec  3 11:17 transip.ini

Steps to Reproduce

  1. Build docker-compose file: 
    # vim: set ft=dosini
---
version: "3"
services:
letsencrypt:
image: linuxserver/letsencrypt
container_name: letsencrypt
ports:
  - 80:80
  - 443:443
volumes:
  - /opt/docker/nginx_reverseproxy:/config
restart: always
depends_on:
  - LIST
  - OF
  - CONTAINERS
environment:
  - PUID=999
  - PGID=999
  - EMAIL=user@domain.com
  - URL=domain.com
  - SUBDOMAINS=item1,item2
  - ONLY_SUBDOMAINS=true
  - DHLEVEL=4096
  - TZ=US/Central
  2. sudo docker-compose up -d letsencrypt
  3. Files are created with permissions 644

Environment

OS: Ubuntu 18.04.4 LTS
CPU architecture: x86_64
How docker service was installed:
sudo apt install docker docker-compose

Command used to create docker container (run/create/compose/screenshot)

sudo docker-compose up -d letsencrypt

Docker logs

-------------------------------------
          _         ()
         | |  ___   _    __
         | | / __| | |  /  \ 
         | | \__ \ | | | () |
         |_| |___/ |_|  \__/

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid:    999
User gid:    999
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing... 
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing... 
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing... 
Variables set:
PUID=999
PGID=999
TZ=US/Central
URL=domain.com
SUBDOMAINS=item1,item2
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=4096
VALIDATION=
DNSPLUGIN=
EMAIL=user@domain.com
STAGING=

VALIDATION parameter not set; setting it to http
4096 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are:  -d item1.domain.com -d item2.domain.com
E-mail address entered: user@domain.com
http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing... 
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
    no field package.preload['resty.core']
    no file './resty/core.lua'
    no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
    no file '/usr/local/share/lua/5.1/resty/core.lua'
    no file '/usr/local/share/lua/5.1/resty/core/init.lua'
    no file '/usr/share/lua/5.1/resty/core.lua'
    no file '/usr/share/lua/5.1/resty/core/init.lua'
    no file '/usr/share/lua/common/resty/core.lua'
    no file '/usr/share/lua/common/resty/core/init.lua'
    no file './resty/core.so'
    no file '/usr/local/lib/lua/5.1/resty/core.so'
    no file '/usr/lib/lua/5.1/resty/core.so'
    no file '/usr/local/lib/lua/5.1/loadall.so'
    no file './resty.so'
    no file '/usr/local/lib/lua/5.1/resty.so'
    no file '/usr/lib/lua/5.1/resty.so'
    no file '/usr/local/lib/lua/5.1/loadall.so')
Server ready
drizuid commented 4 years ago

to add to this, the folder is 755 and should either be 750 or 700 depending on whether the group needs access. this also implies that if the group needs access the files should be 640 rather than 600.