Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The problem with LDAP group in homer-webapp docker container #592

Closed
perrfect opened this issue May 15, 2023 · 11 comments
Closed

The problem with LDAP group in homer-webapp docker container #592

perrfect opened this issue May 15, 2023 · 11 comments
Assignees
@adubovikov
Labels
stargazed

Comments

@perrfect
Copy link

Hello.
I have some problems with LDAP_USERGROUP in the homer-webapp docker container in a /usr/local/homer/etc/webapp_config.json config.
When the container has restarted usergroup are changed from "usergroup": "sec_homer_users" to "usergroup": "sec_roots".
Only removing the container helps
This group I forward to the config via docker-compose, as:
"LDAP_USERGROUP=sec_homer_users"
@kYroL01
Copy link
Collaborator

kYroL01 commented May 17, 2023
edited
Loading

>>When the container has restarted usergroup is changed from "usergroup": "sec_homer_users" to "usergroup": "sec_roots".
This seems a permission escalation that depends on the container. The restart seems to invalidate the policy.

More information is needed in order to reproduce the issue.

If you find a solution, please share it for the community's benefit.

Thank you

P.S. Don't forget to STAR our project :)

@perrfect
Copy link
Author

perrfect commented Jul 11, 2023
edited
Loading

>>When the container has restarted usergroup is changed from "usergroup": "sec_homer_users" to "usergroup": "sec_roots". This seems a permission escalation that depends on the container. The restart seems to invalidate the policy.

More information is needed in order to reproduce the issue.

If you find a solution, please share it for the community's benefit.

Thank you

P.S. Don't forget to STAR our project :)

Hello.
I've done additional tests and looks like the problem is not in a permissions.
If I set env variable "LDAP_USERGROUP=homer_user" in a docker-compose.yml file and running the file insidehomer-webappcontainer everything is ok.
But when I stop the container and start it again in the container in a config /usr/local/homer/etc/webapp_config.json the parameter "usergroup" looks like - "usergroup": "root",.
Maybe the problem is in this script docker-entrypoint.d/1
@adubovikov Could you please check?

@lmangani
Copy link
Member

Maybe the problem is in this script docker-entrypoint.d/1

What would the issue be? The relevant parts of the init script are simply replacing the ENV values in the template, so I see no reason why the json config results should differ between restarts. Are you mounting the config file using a volume on your filesystem?

@perrfect
Copy link
Author

What would the issue be? The relevant parts of the init script are simply replacing the ENV values in the template, so I see no reason why the json config results should differ between restarts. Are you mounting the config file using a volume on your filesystem?

No, I don't mount the config file and don't use a volume.
I'm using only only this docker-compose file:

  homer-webapp:
    container_name: homer-webapp
    image: sipcapture/webapp
    environment:
      - "LOKI_HOST=loki"
      - "PROM_HOST=prometheus"
      - "DB_HOST=db"
      - "DB_USER=root"
      - "DB_PASS=homerSeven"
      - "AUTH_TYPE=ldap"
      - "LDAP_BASE=dc=ipa,dc=example,dc=com"
      - "LDAP_HOST=ipa.example.com"
      - "LDAP_PORT=636"
      - "LDAP_SSL=true"
      - "LDAP_SKIP_TLS=false"
      - "LDAP_SKIP_VERIFY=true"
      - "LDAP_ANONYMOUS=false"
      - "LDAP_BIND_DN=uid=homer,cn=users,cn=accounts,dc=ipa,dc=example,dc=com"
      - "LDAP_BIND_PASS=password"
      - "LDAP_USER_FILTER=(\\&(objectClass=person)(uid=%s))"
      - "LDAP_GROUP_FILTER=(member=%s)"
      - "LDAP_USER_DN=uid=%s,cn=users,cn=accounts,dc=ipa,dc=example,dc=com"
      - "LDAP_ADMINGROUP=homer_admins"
      - "LDAP_USERMODE=false"
      - "LDAP_ADMINMODE=false"
      - "LDAP_USERGROUP=homer_users"
      - "HOMER_LOGLEVEL=debug"
    restart: unless-stopped
    ports:
      - "9080:80"
    volumes:
      - ./bootstrap:/app/bootstrap
    depends_on:
      db:
        condition: service_healthy
      grafana:
        condition: service_healthy

You can try and will get the same error.
The problem reproduces on the production server and on a new test server with default configs from github.

@perrfect
Copy link
Author

perrfect commented Jul 13, 2023
edited
Loading

@lmangani
The problem is reproduced on Ubuntu and Rocky Linux.
Steps to reproduce:

  1. Add environment variables as in the comment above to homer7-docker/heplify-server/hom7-prom-all/docker-compose.yml
  2. Run docker compose: sudo docker compose up -d
  3. Go to the homer-webapp container and check a parameter "usergroup" in the /usr/local/homer/etc/webapp_config.json
    On this step everything in ok.
  4. Stop the homer-webapp container sudo docker compose stop homer-webapp
  5. Start it again sudo docker compose start homer-webapp
  6. Go to the homer-webapp container sudo docker exec -it homer-webapp /bin/bash and the parameter "usergroup": has the value "usergroup": "roots"

@perrfect
Copy link
Author

@lmangani
Did you check it?

@lmangani
Copy link
Member

@perrfect no but perhaps @adubovikov or @hamidrhashmi can help with this

@perrfect
Copy link
Author

@adubovikov Can you help please and check?

@bilalrao12
Copy link

bilalrao12 commented Dec 27, 2023
edited
Loading

@lmangani @adubovikov there is search replace for homer_user string in entrypoint.sh that's why @perrfect group name (hepic_users) being replaced with 'roots'

https://github.com/sipcapture/homer-app/blob/master/docker/docker-entrypoint.d/1#L16C6-L16C6

@myp-neal-harrington
Copy link

Hi,
Just hit this issue and wanted to add more details to help resolve. The problem is that as @bilalrao12 says:

On first startup the container runs /docker-entrypoint.d/1 which makes (among many others) the following changes with sed:

if [ -n "$DB_HOST" ]; then sed -i "s/homer_db_host/${DB_HOST}/g" /usr/local/homer/etc/webapp_config.json; fi
if [ -n "$DB_USER" ]; then sed -i "s/homer_user/${DB_USER}/g" /usr/local/homer/etc/webapp_config.json; fi

...

if [ -n "$LDAP_USERGROUP" ]; then sed -i "/usergroup/ s/HOMER_user/${LDAP_USERGROUP}/g" /usr/local/homer/etc/webapp_config.json; fi

This all works as expected on first startup. However the problem is if your LDAP group name is (or contains) "homer_user" then on the SECOND boot the second sed above will match and change the ldap config to be a string containing the $DB_USER variable (by default "root").

The simplest fix would be to change the initial string in the template config file to be homer_db_user, instead of just homer_user - then it would be far less likely to clash with any end user LDAP group names. It would also match the initial naming format of the "homer_db_host" variable

@kYroL01
Copy link
Collaborator

kYroL01 commented Aug 2, 2024

Hi @myp-neal-harrington
We tested your solution and it is working fine.
In webapp_config.json under homer-webapp container we set the parameter usergroup to homer_db_user instead of homer_users.
After the restart, it didn't crash with LDAP group names.

We're doing an additional test for backward compatibility and probably make a PR to fix it.

Thank you for your great help!

@kYroL01 kYroL01 closed this as completed Aug 2, 2024
@kYroL01 kYroL01 mentioned this issue Sep 4, 2024
Closed
@bilalrao12 bilalrao12 mentioned this issue Sep 4, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adubovikov adubovikov

Labels
stargazed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@lmangani @adubovikov @kYroL01 @perrfect @myp-neal-harrington @bilalrao12