Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

assuming a readonly root, if we gen certs, don't overwrite the originals #11293

Merged
merged 1 commit into from
Mar 9, 2025
Merged

assuming a readonly root, if we gen certs, don't overwrite the originals #11293

merged 1 commit into from
Mar 9, 2025
+10 −8

Conversation

caolanm
Copy link
Contributor

@caolanm caolanm commented Mar 7, 2025

Change-Id: Id1077ff63203f74f4802af087558a6ae652fbcf1

  • Resolves: #
  • Target version: master

Summary

TODO

  • ...

Checklist

  • I have run make prettier-write and formatted the code.
  • All commits have Change-Id
  • I have run tests with make check
  • I have issued make run and manually verified that everything looks okay
  • Documentation (manuals or wiki) has been updated or is not required

@caolanm caolanm force-pushed the private/caolan/dont_copy_generated_certs branch from 8bab3bf to 0db2853 Compare March 7, 2025 16:10
@caolanm
assuming a readonly root, if we gen certs, don't overwrite the originals
d294c6a 
Signed-off-by: Caolán McNamara <[email protected]>
Change-Id: Id1077ff63203f74f4802af087558a6ae652fbcf1
@caolanm caolanm force-pushed the private/caolan/dont_copy_generated_certs branch from 0db2853 to d294c6a Compare March 7, 2025 20:05
@caolanm caolanm closed this Mar 7, 2025
@caolanm caolanm reopened this Mar 7, 2025
@caolanm caolanm requested a review from timar March 7, 2025 21:25
@caolanm
Copy link
Contributor Author

caolanm commented Mar 7, 2025

If we do this, then we can get a step closer to a running under docker --read-only

@timar
Copy link
Member

timar commented Mar 7, 2025

If we do this, then we can get a step closer to a running under docker --read-only

Is this because /tmp is in memory so it does not count?
But I still don't understand. With your patch we do not overwrite the cert files in /etc/coolwsd, but we effectively override them, because command line settings take precedence over /etc/coolwsd/coolwsd.xml setting. Maybe this scenario makes no sense (i.e. when we have something in /etc/coolwsd and we generate cert. So maybe it's OK...

As a side note, I always wanted to get rid of this startup shell script. (I expect next time we will be asked to start coolwsd directly, remove shell as an attack vector etc.)

@caolanm
Copy link
Contributor Author

caolanm commented Mar 7, 2025

Is this because /tmp is in memory so it does not count?

With docker --read-only (from man docker-run) apparently you get an implied additional option that is "When running --read-only containers, mount a read-write tmpfs on /dev, /dev/shm, /run, /tmp, and /var/tmp. The default is true". So /tmp is still writable unless there is an additional --read-only-tmpfs=false at which point "In this mode writable directories need to be added via external volumes or mounts". The report, so far, has been a permission failure on the cp to the final dest, not the initial generation in /tmp, so I think its safe to assume a writeable /tmp (and /var/tmp), but not a writeable /etc

With your patch we do not overwrite the cert files in /etc/coolwsd, but we effectively override them, because command line settings take precedence over /etc/coolwsd/coolwsd.xml setting.

That's my thinking here.

@timar timar merged commit 1100285 into master Mar 9, 2025
16 checks passed
@timar timar deleted the private/caolan/dont_copy_generated_certs branch March 9, 2025 08:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timar timar timar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
Collabora Online
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@caolanm @timar