Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker container not dropping privileges #37

Closed
gh0st-app1e opened this issue Nov 29, 2021 · 0 comments · Fixed by #39
Closed

Docker container not dropping privileges #37

gh0st-app1e opened this issue Nov 29, 2021 · 0 comments · Fixed by #39

Comments

@gh0st-app1e
Copy link

gh0st-app1e commented Nov 29, 2021
edited
Loading

Docker container does not drop privileges and runs py-kms as root when started with docker compose in the following manner:

version: "3.9"

services:
  app:
    image: pykmsorg/py-kms:minimal
    ports:
      - 1688:1688
    volumes:
      - /etc/localtime:/etc/localtime:ro

The issue is also present when started with the way mentioned in README (docker run -d --name py-kms --restart always -p 1688:1688 ghcr.io/py-kms-organization/py-kms) and seems to be not related to docker itself but rather to entrypoint.py.

The following code

py-kms/docker/entrypoint.py

Lines 29 to 32 in 7f08d75

uid = int(user_db_entries.pw_uid)
gid = int(user_grp_db_entries.gr_gid)
new_gid = int(os.getenv('GID', str(gid)))
new_uid = int(os.getenv('UID', str(uid)))
gets UID/GID from environment variables UID and GID. If they are not present, os.getenv() uses default values, making new_uid and new_gid equal to uid and gid, rendering checks

py-kms/docker/entrypoint.py

Line 39 in 7f08d75

if gid != new_gid:
and

py-kms/docker/entrypoint.py

Line 43 in 7f08d75

if uid != new_uid:
false, thus os.setuid() and os.setgid() are not called.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@gh0st-app1e