SSH file is not able to read and change when the server is shared on server-mode

[nabe1653]

Please note that security bugs or issues should be reported to [email protected].

Describe the bug

SSH file is not able to read and change when the server is shared therefore shared server is not abled to connect from other users.

e.g.

1. UserA create "Server1" with SSH file on his storage and share it.
2. UserB can see "Server1" but it has static SSH connection option, he can not change connection option.
3. UserB faced No password or public key available! error when use as it. (maybe due to failed to read ssh file.)

It failed too even if UserA uses secret key from "SHARED_STORAGE" at 1st step. UserB can downalod it from storage-manager but failed to connect.

To Reproduce

1. Setup docker server as server-mode

   Create docker container with config_local.py and binding volume.

   ## A part of docker-compose.yaml
   container_name: pgadmin4
   image: dpage/pgadmin4:8.4
   volumes:
     - ./bind/config_local.py:/pgadmin4/config_local.py
     - ./bind/storage:/mnt/storage
   environment:
     - PGADMIN_CONFIG_SERVER_MODE=True
   

   ## config_local.py
   SHARED_STORAGE = [
     {'name': 'storage', 'path': '/mnt/storage', 'restricted_access': True}
   ]
   

2. Change bind folder permission as same as container uid

   ## Check uid on container and set on host (docker uses same id between host and container)
   # docker exec -it "pgadmin4" id
   uid=5050(pgadmin) gid=0(root) groups=0(root)
   # chown 5050:root ./bind/storage
   # chmod 700 ./bind/storage
   

3. Create shared user and register ssh server on UserA

   • Create UserB on user manager
   • Upload ssh-key on storage manager
   • Register "Server1" with ssh-tunneling option and uploaded key
   • Share "Server1"

4. Try to connect "Server1" from UserB

   • UserB can not connect "Server1"
   • UserB can input SSH options but can not save it. It become old value when reopen.

Expected behavior

1. Allow to use shared-storage path to share secret-key.
2. Allow to use owner's storage when shared ssh key.
3. Let UserB change ssh connection option as his connection info.

Anyway, I wish share ssh-tunneling server info.

Error message

No password or public key available!

Screenshots

Desktop (please complete the following information):

• OS: "Rocky Linux 9.1"
• Version: dpage/pgadmin4:8.4
• Mode: Server
• Browser chrome
• Package type: Container (docker engine: v23.0.4)

Additional context

[anilsahoo20]

Hi @nabe1653 The issue is not reproducible. Can you please share screen recording?

[nabe1653]

HI, @anilsahoo20 , thank you for checking.

That SSH DB and server-mode pgadmin aree office servers so I can not share the details. So I created new servers with docker compose template and run it on windows10, and it reproduced there too.

Sample code repo (for pgadmin and ssh server): https://github.com/nabe1653/pgadmin4-ssh-sample

Screen recording is below:

1. Trying ssh connection from created-user

• Owner can connect without SSH
• Owner can connect by SSH with his home key
• Owner can not connect by SSH with shared drive key

2, Trying ssh connection from shared-user

• Shared user can not connect with SSH
• Shared user can not save ssh-connection info
• Shared user can connect without SSH (only ssh info has problem to share)

[akshay-joshi]

@nabe1653

I am unable to reproduce it with the local setup.
@yogeshmahajan-1903 can you please check this issue with the docker?

[yogeshmahajan-1903]

@nabe1653 I am not able to reproduce any issue mentioned in 1st scenario. Can you please check permissions for keys in shared directory mount? Mine are -

yogeshmahajan@Laptop510-pn-in Docker % ls -la ./shared_dir\ /
total 24
drwxr-xr-x   5 yogeshmahajan  staff   160 May 27 17:58 .
drwxr-xr-x  29 yogeshmahajan  staff   928 May 27 17:55 ..
-rw-------@  1 yogeshmahajan  staff  1692 Aug 27  2018 myaccount.pem

Also please turn on logging by specifying log level in environment variable -

PGADMIN_CONFIG_CONSOLE_LOG_LEVEL=10

However I am able to reproduce the 2nd issue mentioned in 2nd scenario i.e. ssh info can not be updated of shared server by shared user. I will be fixing it.

[nabe1653]

Hi @yogeshmahajan-1903

A1. Folder permissions

The permissions visible from within the container have already been written in the sample repo: https://github.com/nabe1653/pgadmin4-ssh-sample

This is rocky server's permissions that reported at first:

#### docker runs as root user and 5050 is pgadmin user in the container
# ls -al bind/storage/
total 8
drwx------ 2 5050 root  55 Mar 27 11:42 .
drwxr-xr-x 4 root root 101 May  9 14:52 ..
-rw-r--r-- 1 root root  14 Mar 21 16:18 .gitkeep
-rw-r--r-- 1 5050 root 419 Mar 21 14:16 secret_key

#### Folder itself has been changed uid as I mentionded in sample repo.
#### Of cause file itself has been uploaded from pgadmin page's file manager so 644 is default.

This is of windows to reproduce to report:

> ls .\bind\storage\
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a---          2024/04/01    11:35            419 pg-test

> (Get-Acl ./bind/storage/).Access | select IdentityReference
IdentityReference
-----------------
BUILTIN\Administrators
BUILTIN\Administrators
NT AUTHORITY\SYSTEM
NT AUTHORITY\SYSTEM
NT AUTHORITY\Authenticated Users
NT AUTHORITY\Authenticated Users
BUILTIN\Users
BUILTIN\Users

A2. Set PGADMIN_CONFIG_CONSOLE_LOG_LEVEL

I tried to change log level but I couldn't find output log, it has only network error about 401. This shows some logs on browser console?

[pravesh-sharma]

Issue fixed. Verified on snapshot build and docker snapshot image.

Env: OS - Rocky 8 Mode - Server

[nabe1653]

I've updated docker-image to v8.9 on reported server then both are resolved. Now it can share connection-info/tunnel-host and everyone can use share-storage files for ssh key.

Thank you so much!