Closed Cheezzhead closed 2 weeks ago
Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.
If POST=1, the operations are allowed even if the above environment variables are set to 0.
This is not correct.
environment:
- ALLOW_START=0
- ALLOW_STOP=0
- ALLOW_RESTARTS=0
- CONTAINERS=1
- POST=1
172.22.0.51 - - [20/Aug/2024:17:34:47 +0000] "POST /containers/d8de6a4266a57cd65d149a0f19fdc3be5b6ce0a8b6f7dabb0ae4c3a7d4d8715d/stop HTTP/1.1" 403 146 "https://portainer.example.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0"
Note the 403. nginx parses locations starting with the most specific path and so will hit the stop/start/restart/kill locations and return a 403 before hitting the generic container location.
Now, I am open to adding variables for allowing Start/Stop/Restart without POST=1 if it's desired functionality.
This is not correct.
Ah, apologies. I do remember quickly testing that scenario prior to posting but probably didn't really look at the response properly.
Now, I am open to adding variables for allowing Start/Stop/Restart without POST=1 if it's desired functionality.
I think it would be. I'm open to making a PR, though my proposed solution (changing the limit_except
directives) would probably be too minimal to warrant one?
It's fine, I'll put together a PR to change the behaviour and update the documentation.
Is there an existing issue for this?
Current Behavior
ALLOW_START
,ALLOW_STOP
,ALLOW_RESTARTS
are allPOST
methods.Currently, the behavior is:
POST=0
, the start/stop/restart operations are denied irregardless of the above environment variables.POST=1
, the operations are allowed even if the above environment variables are set to0
.So as it stands, these permissions have no practical effect.
I would assume the problem is easily fixed by adjusting the respective
limit_except
directives in the template files, e.g.:(Side note: I would also leave out HEAD because it is implied by GET)
Expected Behavior
The
ALLOW_
permissions should supercede thePOST
permissions, or they should be deprecated.Steps To Reproduce
Attempting to start/stop/restart a container in (for example) Portainer will fail, using the configuration provided below.
Environment
Docker creation
docker-socket.env
:Container logs