Skip to content

assuming a readonly root, if we gen certs, don't overwrite the originals#11293

Merged
timar merged 1 commit intomasterfrom
private/caolan/dont_copy_generated_certs
Mar 9, 2025
Merged

assuming a readonly root, if we gen certs, don't overwrite the originals#11293
timar merged 1 commit intomasterfrom
private/caolan/dont_copy_generated_certs

Conversation

@caolanm
Copy link
Copy Markdown
Contributor

@caolanm caolanm commented Mar 7, 2025

Change-Id: Id1077ff63203f74f4802af087558a6ae652fbcf1

  • Resolves: #
  • Target version: master

Summary

TODO

  • ...

Checklist

  • I have run make prettier-write and formatted the code.
  • All commits have Change-Id
  • I have run tests with make check
  • I have issued make run and manually verified that everything looks okay
  • Documentation (manuals or wiki) has been updated or is not required

@github-project-automation github-project-automation Bot moved this to To Review in Collabora Online Mar 7, 2025
@caolanm caolanm force-pushed the private/caolan/dont_copy_generated_certs branch from 8bab3bf to 0db2853 Compare March 7, 2025 16:10
@caolanm
assuming a readonly root, if we gen certs, don't overwrite the originals
d294c6a 
Signed-off-by: Caolán McNamara <caolan.mcnamara@collabora.com>
Change-Id: Id1077ff63203f74f4802af087558a6ae652fbcf1
@caolanm caolanm force-pushed the private/caolan/dont_copy_generated_certs branch from 0db2853 to d294c6a Compare March 7, 2025 20:05
@caolanm caolanm closed this Mar 7, 2025
@github-project-automation github-project-automation Bot moved this from To Review to Done in Collabora Online Mar 7, 2025
@caolanm caolanm reopened this Mar 7, 2025
@github-project-automation github-project-automation Bot moved this from Done to In Progress in Collabora Online Mar 7, 2025
@caolanm caolanm requested a review from timar March 7, 2025 21:25
@caolanm
Copy link
Copy Markdown
Contributor Author

caolanm commented Mar 7, 2025

If we do this, then we can get a step closer to a running under docker --read-only

@timar
Copy link
Copy Markdown
Member

timar commented Mar 7, 2025

If we do this, then we can get a step closer to a running under docker --read-only

Is this because /tmp is in memory so it does not count?
But I still don't understand. With your patch we do not overwrite the cert files in /etc/coolwsd, but we effectively override them, because command line settings take precedence over /etc/coolwsd/coolwsd.xml setting. Maybe this scenario makes no sense (i.e. when we have something in /etc/coolwsd and we generate cert. So maybe it's OK...

As a side note, I always wanted to get rid of this startup shell script. (I expect next time we will be asked to start coolwsd directly, remove shell as an attack vector etc.)

@caolanm
Copy link
Copy Markdown
Contributor Author

caolanm commented Mar 7, 2025

Is this because /tmp is in memory so it does not count?

With docker --read-only (from man docker-run) apparently you get an implied additional option that is "When running --read-only containers, mount a read-write tmpfs on /dev, /dev/shm, /run, /tmp, and /var/tmp. The default is true". So /tmp is still writable unless there is an additional --read-only-tmpfs=false at which point "In this mode writable directories need to be added via external volumes or mounts". The report, so far, has been a permission failure on the cp to the final dest, not the initial generation in /tmp, so I think its safe to assume a writeable /tmp (and /var/tmp), but not a writeable /etc

With your patch we do not overwrite the cert files in /etc/coolwsd, but we effectively override them, because command line settings take precedence over /etc/coolwsd/coolwsd.xml setting.

That's my thinking here.

@github-project-automation github-project-automation Bot moved this from In Progress to To Test in Collabora Online Mar 9, 2025
@timar timar merged commit 1100285 into master Mar 9, 2025
@timar timar deleted the private/caolan/dont_copy_generated_certs branch March 9, 2025 08:36
@github-project-automation github-project-automation Bot moved this from To Test to Done in Collabora Online Mar 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@timar timar timar approved these changes

Assignees

No one assigned

Labels

None yet

Projects

Collabora Online
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@caolanm @timar