Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pg_services.conf et al are world readable #39

Closed
tpo opened this issue Sep 21, 2021 · 5 comments · Fixed by qwc-services/qwc-services.github.io#17
Closed

pg_services.conf et al are world readable #39

tpo opened this issue Sep 21, 2021 · 5 comments · Fixed by qwc-services/qwc-services.github.io#17
Labels

Comments

@tpo
Copy link
Member

tpo commented Sep 21, 2021

As of today no special consideration is given to file permissions. Each container that is started has its own set of separate user UIDs, some that map to random other UIDs on the host. The services running inside the containers, each under some arbitrary UID, need access to pg_services.conf. In order to allow launching the services at all pg_services.conf is basicall world readable.

I propose to use the following approach to tackle this problem:

  • creating a new user (say user qwc) that will launch the containers
  • give that user a (standard) range of subuids
  • launching the container as a user
  • figure out which of the resulting subids need access to pg_services.conf (possibly other credentials such as .env?)
  • create a qwc-services user group
  • add all those subuids to that qwc-services user group
  • chgrp pg_services.conf to that user group
  • chmod o-rwx services.conf
  • repeat for all other files containing credentials
@tpo
Copy link
Member Author

tpo commented Sep 21, 2021

Alternative approach:

Instead of instatiating a new site via a fresh docker-compose.yml, create customized docker images that inherit from the original ones and only copy pg_services.conf and/or other credentials into them.

cons:

  • more complex deployment process
  • less dynamic (on can not simply change pg_services.conf and have it take effect immediately, but must docker build new docker images of everything)
  • maybe doesn't cover all credentials and other permission/UID problems

pro:

  • "self contained" image
  • minimal permissions can be set

@HusseinKabbout HusseinKabbout changed the title security: pg_services.conf et al are world readable pg_services.conf et al are world readable Jan 8, 2024
@loyeyoung
Copy link

I share the same concern about file permissions, and have come to similar conclusions. I have already adopted a similar set up to my implementation.

For multi-tenant setups, it might be advisable to create a "docker" group and add qwc to that group, for those files that should be shared among various related docker projects.

@HusseinKabbout
Copy link
Contributor

Our approach to this problem is currently to create a qwc user on the host, configure the qwc services to use this user's UID / GID and finally change the ownership of the pg_service.conf / pg_service-write.conf files to owner: qwc and group: www-data (which is 33).

@HusseinKabbout
Copy link
Contributor

HusseinKabbout commented Jan 22, 2024

Alternative approach:

Instead of instatiating a new site via a fresh docker-compose.yml, create customized docker images that inherit from the original ones and only copy pg_services.conf and/or other credentials into them.

cons:

* more complex deployment process

* less dynamic (on can not simply change `pg_services.conf` and have it take effect immediately, but must docker build new docker images of everything)

* maybe doesn't cover all credentials and other permission/UID problems

pro:

* "self contained" image

* minimal permissions can be set

This is not good from a security point of view, since this would mean that container images contain passwords in cleartext.

@tpo
Copy link
Member Author

tpo commented May 28, 2024

The instructions point to https://qwc-services.github.io/ . The first entry there on the left side in the site index on the left is Quick start.

This Pull Request adds instructions to do a chmod o-rwx pg_service*.conf which should fix the world readability of the Postgres service/credentials files.

@HusseinKabbout : if you think that that's a good solution then please pull and close this ticket. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants