docker icon indicating copy to clipboard operation
docker copied to clipboard

Published 20 hours ago verified publisher icon nextcloud

Least privilege deployment not supported

Open vogelfreiheit opened this issue 5 years ago • 1 comments

I have found some other issues like #832 and #823 related to people encountering issues when attempting to deploy the docker image using custom users or non-privileged users. Technically this should not be a problem if the underlying filesystem has the right ownership and the user inside the container matches (or is translated via namespaces).

It seems the docker image does not support this due to assumptions made about the privileges available to the container.

See for reference:

  • https://docs.docker.com/engine/security/userns-remap/
  • https://docs.docker.com/engine/security/security/

This might be something that needs some work (and it should not be a complicated problem), in exchange for a significant improvement for deployments using the image (otherwise, AFAIK, the entire kernel is exposed via ABI to the container processes as they run as root effectively... not the best idea when dealing with PHP web apps, and especially with fpm allowing quite some fine tuning to isolate each app).

Thanks!

vogelfreiheit avatar Aug 17 '19 16:08 vogelfreiheit

@vogelfreiheit I'm wondering if anything has happened since your original issue was opened?

I've set up a Nextcloud instance with userns-remap, but I'm running into some issues with the mounted data-directory I have yet to find a solution for.

The issue is that root within the container doesn't have permission to read the mounted data directory as it is owned by the user id that maps to www-data in my setup. root apparently needs access during upgrades and initial installation.

I thought that maybe I could do something with a group id that both root and www-data would be members of, but I need my host group users to be the owner, allowing backups through an unprivileged user.

From my perspective it'd be ideal if all scripts within the container could run as www-data while root would be avoided. Is that what you were suggesting, too?

Edit: I "fixed" my issue by creating a group on the host with the gid that maps to 0=root in the container space. Then I added my backup user to this group.

te-online avatar May 26 '22 13:05 te-online

closing due https://github.com/nextcloud/docker/pull/1812

J0WI avatar Nov 26 '22 14:11 J0WI