Docker-DocumentServer icon indicating copy to clipboard operation
Docker-DocumentServer copied to clipboard

Published 20 hours ago verified publisher icon ONLYOFFICE

SSL Private key exposed after docker start.

Open XenonOrion opened this issue 4 years ago • 3 comments

Do you want to request a feature or report a bug? Bug: Private Key is readable by everyone. What is the current behavior? When the docker image is restarted, the permissions of the private key /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key is restored to 755 permissions.

If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem.

  1. $ chown 400 app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
  2. restart docker image.
  3. onlyoffice.key's permissions return to 755.

What is the expected behavior? The permissions of the .key should always be remain as the user provided, or standard change permissions to 400.

Did this work in previous versions of DocumentServer? Not sure. This is my first version.

DocumentServer Docker tag: onlyoffice/documentserver:5.5.0.165

Host Operating System: Centos 7, with manually provided Letsencrypt SSL certificates.

XenonOrion avatar Apr 10 '20 17:04 XenonOrion

Hello, @XenonOrion, sorry for the late reply. Thank you for report. I can confirm - this is bug, issue 50138 in our private issue tracker.

igwyd avatar Apr 29 '21 15:04 igwyd

I did not find this issue report, so I re-reported the problem in (#421) - looks like this has been around for at least 2 years. The fact that the certs dir is under /var/www in itself might not be a good idea - I am not sure if this is required by the certbot.

Also, I am not sure why all files and dirs are changed to 755 - it should be changing files to 644 and dirs to 755 - with the current chmod -R 755 all files become executable, so based on the comment maybe the command should be applying to dir only:

find $DATA_DIR -type d -exec ...

In any case I think the /app/ds/run-document-server.sh script needs to be updated and the chown and chmod for the DATA_DIR can be replaced with a find command ( or possibly only exclude the key file ):

find $DATA_DIR -path $SSL_CERTIFICATES_DIR -prune -o \( -exec chown ds:ds {} \; -exec chmod 755 {} \; \)

In general, to avoid problems the certs should be owned by root, with 444 ( or 644 ) for the public key and 400 for the private key. The big problem for us is that we have a wild card cert and if the key was compromised it would impact multiple servers.

bluesky-ca avatar Mar 23 '22 17:03 bluesky-ca

It's fixed at: https://github.com/ONLYOFFICE/Docker-DocumentServer/commit/c7a1fd04a436bc563b63d961b09dc30e9e8db8fc And will be released in the next major release.

igwyd avatar Jul 07 '22 08:07 igwyd

DocumentServer v7.2 is released. This issue should be fixed

Feel free to comment or reopen it if you got further questions

ShockwaveNN avatar Sep 23 '22 16:09 ShockwaveNN