-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pg_services.conf et al are world readable #39
Comments
Alternative approach: Instead of instatiating a new site via a fresh cons:
pro:
|
I share the same concern about file permissions, and have come to similar conclusions. I have already adopted a similar set up to my implementation. For multi-tenant setups, it might be advisable to create a "docker" group and add qwc to that group, for those files that should be shared among various related docker projects. |
Our approach to this problem is currently to create a |
This is not good from a security point of view, since this would mean that container images contain passwords in cleartext. |
The instructions point to https://qwc-services.github.io/ . The first entry there on the left side in the site index on the left is Quick start. This Pull Request adds instructions to do a @HusseinKabbout : if you think that that's a good solution then please pull and close this ticket. Thanks! |
As of today no special consideration is given to file permissions. Each container that is started has its own set of separate user UIDs, some that map to random other UIDs on the host. The services running inside the containers, each under some arbitrary UID, need access to
pg_services.conf
. In order to allow launching the services at allpg_services.conf
is basicall world readable.I propose to use the following approach to tackle this problem:
qwc
) that will launch the containerspg_services.conf
(possibly other credentials such as.env
?)qwc-services
user groupqwc-services
user grouppg_services.conf
to that user groupchmod o-rwx services.conf
The text was updated successfully, but these errors were encountered: