Closed jeslinmx closed 1 week ago
pldubouilh
commented
4 years ago interesting - just throwing this (untested) can you try using plain ubuntu docker image (instead of alpine) and with a gossa build with the cgo_enabled directive removed ?
I'll merge your other PRs next week - probably along with the few other changes I did in #30 :)
jeslinmx
commented
4 years ago Testing: https://github.com/pldubouilh/gossa/compare/master...jeslinmx:hotfix
...nope, it doesn't work.
pldubouilh
commented
1 week ago hey @jeslinmx, don't know if it's related to the new docker image, or a bugfix in docker - but I think this is resolved :+1:
; docker run --cap-drop=ALL --cap-add=SETUID --cap-add=SETGID -v ~/LocalDirToShare:/shared -ti -p 8001:8001 gossa /bin/sh
Gossa starting on directory /shared
Verbose: false, Symlinks: false, Read-Only: false, Hidden-Files Skipped: true
Listening on http://0.0.0.0:8001/
Following the recommendations on https://www.redhat.com/en/blog/secure-your-containers-one-weird-trick, I was seeing if I could secure my docker set-up a little by dropping all capabilities. This works fine on many containers without any changes, except those that bind to a port number below 1024 by default (since that requires net_bind_service).
For some reason, gossa is unable to make any changes to the volume mounted on /shared without dac_override (uploads and deletions just fail silently). From
man 7 capabilities:Now, I don't know much about capabilities or how Go writes files, but 2 things have got me confused:
(I recognize this is probably not an issue with gossa but with my lack of understanding, so if anyone could indulge me with an explanation I would be extremely thankful)