search

linuxserver / docker-openssh-server

GNU General Public License v3.0
538 stars 184 forks source link

[BUG] confusing init-adduser behavior when picking a USER_NAME which collides with system user #93

Closed chrishoage closed 3 days ago

chrishoage commented 2 weeks ago

Is there an existing issue for this?

Current Behavior

When specifying a USER_NAME and this user exists already (e.g. listed in /etc/passwd) usermod fails with an error and authorized_keys is looked up from /sbin

Currently this log is all that is present to signify there is an issue usermod: user 'sync' already exists

I missed this log initially and only saw it once I found the issue after looking at the ssh debug logs.

Expected Behavior

An error should be raised and the container should exit

Steps To Reproduce

Set USER_NAME to one of these users (I was using sync which was producing the error) 

sync_server:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
guest:x:405:1000:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
klogd:x:100:101:klogd:/dev/null:/sbin/nologin

Environment

- OS:Arch Linux
- How docker service was installed: pacman

CPU architecture

x86-64

Docker creation

docker compose up with SYNC_SSH_PUBLIC_KEY and SYNC_SSH_PUBLIC_KEY set in env

services:
  sftp-server:
    image: lscr.io/linuxserver/openssh-server:latest
    container_name: openssh_server
    hostname: sync_server
    environment:
      - PUID=1000
      - PGID=1000
      - PUBLIC_KEY=${SYNC_SSH_PUBLIC_KEY:?}
      - USER_NAME=sync
      - LOG_STDOUT=true
    volumes:
      - ./data:/data
      - ./ssh:/config
  alpine-test:
    image: alpine:latest
    container_name: alpine-test
    hostname: alpine-test
    volumes:
      - ./alpine:/config
    secrets:
      - source: sync_ssh_private_key
        mode: 0400
    command: ["tail", "-f", "/dev/null"]

secrets:
  sync_ssh_private_key:
    environment: SYNC_SSH_PRIVATE_KEY

Container logs

❯ op run --env-file secrets.env -- docker compose up --force-recreate --always-recreate-deps
 Container alpine-test  Recreate
 Container openssh_server  Recreate
 Container openssh_server  Recreated
 Container alpine-test  Recreated
Attaching to alpine-test, openssh_server
openssh_server  | [migrations] started
openssh_server  | [migrations] no migrations found
openssh_server  | usermod: user 'sync' already exists
openssh_server  | ───────────────────────────────────────
openssh_server  |
openssh_server  |       ██╗     ███████╗██╗ ██████╗
openssh_server  |       ██║     ██╔════╝██║██╔═══██╗
openssh_server  |       ██║     ███████╗██║██║   ██║
openssh_server  |       ██║     ╚════██║██║██║   ██║
openssh_server  |       ███████╗███████║██║╚██████╔╝
openssh_server  |       ╚══════╝╚══════╝╚═╝ ╚═════╝
openssh_server  |
openssh_server  |    Brought to you by linuxserver.io
openssh_server  | ───────────────────────────────────────
openssh_server  |
openssh_server  | To support LSIO projects visit:
openssh_server  | https://www.linuxserver.io/donate/
openssh_server  |
openssh_server  | ───────────────────────────────────────
openssh_server  | GID/UID
openssh_server  | ───────────────────────────────────────
openssh_server  |
openssh_server  | User UID:    1000
openssh_server  | User GID:    0
openssh_server  | ───────────────────────────────────────
openssh_server  | Linuxserver.io version: 9.7_p1-r4-ls172
openssh_server  | Build-date: 2024-11-10T18:48:18+00:00
openssh_server  | ───────────────────────────────────────
openssh_server  |
openssh_server  | User name is set to sync
openssh_server  | sudo is disabled.
openssh_server  | SSH host public key(s):

and the debug log that led me to understand what was happening 

openssh_server  | debug1: temporarily_use_uid: 1000/0 (e=1000/0)
openssh_server  | debug1: trying public key file /sbin/.ssh/authorized_keys
github-actions[bot] commented 2 weeks ago

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.