passbolt_api
passbolt_api copied to clipboard
JWT healthcheck does not recognise read-only mounts, nor dereferences symbolic links
- Passbolt Version: 3.7.1-1-ce
- Platform and Target:
- https://github.com/passbolt/passbolt_docker
- https://github.com/mmz-srf/passbolt-helm
What you did
I was deploying the (community) Helm chart and found the Passbolt container to be too eager in checking JWT file permissions with is_writable
.
What happened
When the JWT healthcheck
runs, an error is thrown, despite the files have correct permissions:
JWT Authentication
[PASS] The JWT Authentication plugin is enabled
[FAIL] The /etc/passbolt/jwt/ directory should not be writable.
[HELP] You can try:
[HELP] sudo chown -Rf root:www-data /etc/passbolt/jwt/
[HELP] sudo chmod 750 /etc/passbolt/jwt/
[HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.key
[HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.pem
[FAIL] A valid JWT key pair is missing
This is due to symbolic links not being dereferenced, and the mount option not being taken into account:
This is the -L
/--dereference
flag of ls
working:
$ k -n passbolt exec -it deployment.apps/passbolt-passbolt-helm -- ls -la /etc/passbolt/jwt
total 4
drwxrwxrwt 3 root root 120 Aug 1 12:40 .
drwxrwx--- 6 root www-data 4096 Jul 28 14:56 ..
drwxr-xr-x 2 root root 80 Aug 1 12:40 ..2022_08_01_12_40_58.3176624772
lrwxrwxrwx 1 root root 32 Aug 1 12:40 ..data -> ..2022_08_01_12_40_58.3176624772
lrwxrwxrwx 1 root root 14 Aug 1 12:40 jwt.key -> ..data/jwt.key
lrwxrwxrwx 1 root root 14 Aug 1 12:40 jwt.pem -> ..data/jwt.pem
$ k -n passbolt exec -it deployment.apps/passbolt-passbolt-helm -- ls -laL /etc/passbolt/jwt
total 12
drwxrwxrwt 3 root root 120 Aug 1 12:40 .
drwxrwx--- 6 root www-data 4096 Jul 28 14:56 ..
drwxr-xr-x 2 root root 80 Aug 1 12:40 ..2022_08_01_12_40_58.3176624772
drwxr-xr-x 2 root root 80 Aug 1 12:40 ..data
-rw-r----- 1 root root 3243 Aug 1 12:40 jwt.key
-rw-r----- 1 root root 800 Aug 1 12:40 jwt.pem
Here is the actual mountpoint:
$ k -n passbolt exec -it deployment.apps/passbolt-passbolt-helm -- df -h /etc/passbolt/jwt
Filesystem Size Used Avail Use% Mounted on
tmpfs 1.5G 8.0K 1.5G 1% /etc/passbolt/jwt
$ k -n passbolt exec -it deployment.apps/passbolt-passbolt-helm -- cat /proc/mounts | grep passbolt
tmpfs /etc/passbolt/gpg tmpfs ro,relatime,size=1518884k 0 0
tmpfs /etc/passbolt/jwt tmpfs ro,relatime,size=1518884k 0 0
/dev/vda1 /etc/php/7.4/fpm/conf.d/passbolt.ini ext4 ro,relatime 0 0
/dev/disk/by-id/scsi-0DO_Volume_pvc-cb26fed1-2145-434b-8f09-876d9ae0a9a7 /usr/share/php/passbolt/webroot/img/public ext4 rw,relatime 0 0
Reference:
- https://github.com/kubernetes/kubernetes/issues/34982#issuecomment-496507770
What you expected to happen
I'm expecting Passbolt to recognise the files as symlinks, and dereference them upon checking, plus evaluating all possible layers of "read-only-ness".
E.g. in https://bugs.php.net/bug.php?id=68926&edit=1 one suggestion is to try to actually write to a file, in order to determine if that would work.