search

sipcapture / homer

HOMER - 100% Open-Source SIP, VoIP, RTC Packet Capture & Monitoring
https://sipcapture.org
GNU Affero General Public License v3.0
1.58k stars 239 forks source link

The problem with LDAP group in homer-webapp docker container #592

Open perrfect opened 1 year ago

perrfect commented 1 year ago

Hello. I have some problems with LDAP_USERGROUP in the homer-webapp docker container in a /usr/local/homer/etc/webapp_config.json config. When the container has restarted usergroup are changed from "usergroup": "sec_homer_users" to "usergroup": "sec_roots". Only removing the container helps This group I forward to the config via docker-compose, as: "LDAP_USERGROUP=sec_homer_users"

kYroL01 commented 1 year ago

_>>When the container has restarted usergroup is changed from "usergroup": "sec_homer_users" to "usergroup": "secroots". This seems a permission escalation that depends on the container. The restart seems to invalidate the policy.

More information is needed in order to reproduce the issue.

If you find a solution, please share it for the community's benefit.

Thank you

P.S. Don't forget to STAR our project :)

perrfect commented 1 year ago

_>>When the container has restarted usergroup is changed from "usergroup": "sec_homer_users" to "usergroup": "secroots". This seems a permission escalation that depends on the container. The restart seems to invalidate the policy.

More information is needed in order to reproduce the issue.

If you find a solution, please share it for the community's benefit.

Thank you

P.S. Don't forget to STAR our project :)

Hello. I've done additional tests and looks like the problem is not in a permissions. If I set env variable "LDAP_USERGROUP=homer_user" in a docker-compose.yml file and running the file insidehomer-webappcontainer everything is ok. But when I stop the container and start it again in the container in a config /usr/local/homer/etc/webapp_config.json the parameter "usergroup" looks like - "usergroup": "root",. Maybe the problem is in this script docker-entrypoint.d/1 @adubovikov Could you please check?

lmangani commented 1 year ago

Maybe the problem is in this script docker-entrypoint.d/1

What would the issue be? The relevant parts of the init script are simply replacing the ENV values in the template, so I see no reason why the json config results should differ between restarts. Are you mounting the config file using a volume on your filesystem?

perrfect commented 1 year ago

What would the issue be? The relevant parts of the init script are simply replacing the ENV values in the template, so I see no reason why the json config results should differ between restarts. Are you mounting the config file using a volume on your filesystem?

No, I don't mount the config file and don't use a volume. I'm using only only this docker-compose file:

  homer-webapp:
    container_name: homer-webapp
    image: sipcapture/webapp
    environment:
      - "LOKI_HOST=loki"
      - "PROM_HOST=prometheus"
      - "DB_HOST=db"
      - "DB_USER=root"
      - "DB_PASS=homerSeven"
      - "AUTH_TYPE=ldap"
      - "LDAP_BASE=dc=ipa,dc=example,dc=com"
      - "LDAP_HOST=ipa.example.com"
      - "LDAP_PORT=636"
      - "LDAP_SSL=true"
      - "LDAP_SKIP_TLS=false"
      - "LDAP_SKIP_VERIFY=true"
      - "LDAP_ANONYMOUS=false"
      - "LDAP_BIND_DN=uid=homer,cn=users,cn=accounts,dc=ipa,dc=example,dc=com"
      - "LDAP_BIND_PASS=password"
      - "LDAP_USER_FILTER=(\\&(objectClass=person)(uid=%s))"
      - "LDAP_GROUP_FILTER=(member=%s)"
      - "LDAP_USER_DN=uid=%s,cn=users,cn=accounts,dc=ipa,dc=example,dc=com"
      - "LDAP_ADMINGROUP=homer_admins"
      - "LDAP_USERMODE=false"
      - "LDAP_ADMINMODE=false"
      - "LDAP_USERGROUP=homer_users"
      - "HOMER_LOGLEVEL=debug"
    restart: unless-stopped
    ports:
      - "9080:80"
    volumes:
      - ./bootstrap:/app/bootstrap
    depends_on:
      db:
        condition: service_healthy
      grafana:
        condition: service_healthy

You can try and will get the same error. The problem reproduces on the production server and on a new test server with default configs from github.

perrfect commented 1 year ago

@lmangani The problem is reproduced on Ubuntu and Rocky Linux. Steps to reproduce:

  1. Add environment variables as in the comment above to homer7-docker/heplify-server/hom7-prom-all/docker-compose.yml
  2. Run docker compose: sudo docker compose up -d
  3. Go to the homer-webapp container and check a parameter "usergroup" in the /usr/local/homer/etc/webapp_config.json On this step everything in ok.
  4. Stop the homer-webapp container sudo docker compose stop homer-webapp
  5. Start it again sudo docker compose start homer-webapp
  6. Go to the homer-webapp container sudo docker exec -it homer-webapp /bin/bash and the parameter "usergroup": has the value "usergroup": "roots"
perrfect commented 12 months ago

@lmangani Did you check it?

lmangani commented 12 months ago

@perrfect no but perhaps @adubovikov or @hamidrhashmi can help with this

perrfect commented 12 months ago

@adubovikov Can you help please and check?

bilalrao12 commented 6 months ago

@lmangani @adubovikov there is search replace for homer_user string in entrypoint.sh that's why @perrfect group name (hepic_users) being replaced with 'roots'

https://github.com/sipcapture/homer-app/blob/master/docker/docker-entrypoint.d/1#L16C6-L16C6