pg_services.conf et al are world readable

qwc-services / qwc-docker

Docker containers for qwc-services

MIT License

47 stars 36 forks source link

pg_services.conf et al are world readable #39

Closed tpo closed 5 months ago

tpo commented 3 years ago

As of today no special consideration is given to file permissions. Each container that is started has its own set of separate user UIDs, some that map to random other UIDs on the host. The services running inside the containers, each under some arbitrary UID, need access to pg_services.conf. In order to allow launching the services at all pg_services.conf is basicall world readable.

I propose to use the following approach to tackle this problem:

creating a new user (say user qwc) that will launch the containers
give that user a (standard) range of subuids
launching the container as a user
figure out which of the resulting subids need access to pg_services.conf (possibly other credentials such as .env?)
create a qwc-services user group
add all those subuids to that qwc-services user group
chgrp pg_services.conf to that user group
chmod o-rwx services.conf
repeat for all other files containing credentials

tpo commented 3 years ago

Alternative approach:

Instead of instatiating a new site via a fresh docker-compose.yml, create customized docker images that inherit from the original ones and only copy pg_services.conf and/or other credentials into them.

cons:

more complex deployment process
less dynamic (on can not simply change pg_services.conf and have it take effect immediately, but must docker build new docker images of everything)
maybe doesn't cover all credentials and other permission/UID problems

pro:

"self contained" image
minimal permissions can be set

loyeyoung commented 9 months ago

I share the same concern about file permissions, and have come to similar conclusions. I have already adopted a similar set up to my implementation.

For multi-tenant setups, it might be advisable to create a "docker" group and add qwc to that group, for those files that should be shared among various related docker projects.

HusseinKabbout commented 9 months ago

Our approach to this problem is currently to create a qwc user on the host, configure the qwc services to use this user's UID / GID and finally change the ownership of the pg_service.conf / pg_service-write.conf files to owner: qwc and group: www-data (which is 33).

HusseinKabbout commented 9 months ago

Alternative approach:

Instead of instatiating a new site via a fresh docker-compose.yml, create customized docker images that inherit from the original ones and only copy pg_services.conf and/or other credentials into them.

cons:
* more complex deployment process

* less dynamic (on can not simply change `pg_services.conf` and have it take effect immediately, but must docker build new docker images of everything)

* maybe doesn't cover all credentials and other permission/UID problems
pro:
* "self contained" image

* minimal permissions can be set

This is not good from a security point of view, since this would mean that container images contain passwords in cleartext.

tpo commented 5 months ago

The instructions point to https://qwc-services.github.io/ . The first entry there on the left side in the site index on the left is Quick start.

This Pull Request adds instructions to do a chmod o-rwx pg_service*.conf which should fix the world readability of the Postgres service/credentials files.

@HusseinKabbout : if you think that that's a good solution then please pull and close this ticket. Thanks!