-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
/usr/libexec/cockpit-session has wrong owner in deployment #870
Comments
@sigulete just did a response in the original bug, which I'm forwarding here: I dug deeper into this issue and it doesn’t seem to be a Bootc relies on OCI containers to build and transport an image to be deployed in what we will call the server for the sake of this example. Each time the container image gets re-built, it will create a brand new deployment that will replace everything in Some applications including If I looked at my deployment and I found that it is not common to have files in I resolved the problem creating my user within the container build, so You mentioned before that |
I want to report that there are a few nuances with this approach, for some reason the
|
There's a lot more in https://containers.github.io/bootc/building/users-and-groups.html but yes basically stop using |
Also setuid binaries are bad |
Well, cockpit-ws primarily wants to use /usr/lib/sysusers.d/cockpit-wsinstance.conf to create the sysuser, but that doesn't work yet in rpm-land, see rpm-software-management/rpm#3073 (it was fixed upstream, but isn't available widely yet in Fedora and RHEL land). But also, the system user actually exists, it's just not applied correctly to the binary ownership.
Yup, I hear you. Getting rid of it is a ginormous pile of work (see linked PR above), but also, it's the file ownership here, not the suid-ness (that's fine). |
Yeah there's a conceptual conflict between sysusers and files owned by images (I suspect for the same reason this gets trickier with RPM). I think for this case ideally we fatally error out at build time and require a static allocation at build time; the most practical is nss-altfiles; we just don't document today how to extend what we have in the base image for it. That said, there is an entirely different approach which is basically have For everyone else's reference the PR Martin is talking about for cockpit that would drop the suid binary looks to be cockpit-project/cockpit#16811 |
I think they are related, no? If the binary wasn't setuid it could just be owned by root:root like any other... |
That's a hilariously clever and evil 😈 idea, thanks 🤓 ! That would make packaging dramatically easier, and also avoid all this ownership mess, and even unblock delivering this as a sysext. Need to check how this plays out with SELinux, and of course it does feel rather root-kit-y to have a writable suid root binary in /run... But it's worth discussing at least. (Or finally carve out two weeks to fix all the fallout from making cockpit-session a systemd .path unit...) |
Dunno, on package systems the binary is writable in |
Closing this as there's not much we can technically do on the bootc side today unfortunately, other than the existing documentation we have. |
In cockpit-project/cockpit#21201 we got a report about failing to deploy a bootc container with the
cockpit-ws
package:You can build yourself, but for convenience I built that on github:
This command works, but after boot, cockpit-ws'
cockpit-session
program has a broken owner:It needs to have group "cockpit-wsinstance".
A temporary workaround is
but of course that doesn't stick, and enabling the overlay is ugly.
The text was updated successfully, but these errors were encountered: