online icon indicating copy to clipboard operation
online copied to clipboard
verified publisher icon CollaboraOnline

no-new-privileges not working

Open azertylr opened this issue 1 year ago • 1 comments

Hello,

When I run collabora with no-new-privileges=true, the server doesn't start

Collabora version: 23.05.7.5

code:
    image: collabora/code:latest
    container_name: collabora
    user: "cool" 
    cap_add:
      - SYS_CHROOT
      - SYS_ADMIN
      - MKNOD
      - FOWNER
      - CHOWN
      - SETPCAP
    security_opt:
      - no-new-privileges=true

I have the following error:

 ERR  Capability cap_chown is not set for the coolforkit program.| kit/ForKit.cpp:228
 ERR  Capability cap_mknod is not set for the coolforkit program.| kit/ForKit.cpp:228
 ERR  Capability cap_sys_chroot is not set for the coolforkit program.| kit/ForKit.cpp:228
 ERR  Capability cap_fowner is not set for the coolforkit program.| kit/ForKit.cpp:228

And the server is restarting in loop.

Thanks

azertylr avatar Feb 01 '24 19:02 azertylr

it is working with "security.capabilities=false"

I don't know if this recommanded.

code:
  image: collabora/code:latest
  user: "cool"
  environment:
     - extra_params=--o:security.capabilities=false --o:ssl.enable=true
  security_opt:
    - no-new-privileges=true

azertylr avatar Feb 09 '24 17:02 azertylr