Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run the container without root #170

Closed
qdm12 opened this issue Nov 12, 2018 · 8 comments
Closed

Run the container without root #170

qdm12 opened this issue Nov 12, 2018 · 8 comments
Assignees
@dperson

Comments

@qdm12
Copy link

qdm12 commented Nov 12, 2018
edited
Loading

Hi there,

Is there any way or plan to run this container without root? That would be great security-wise. A few options crossing my mind to achieve this, although it might not be possible:

  • Use the libcap package on Alpine to allow capabilities to smbd (could work!)
  • Use gosu to drop the root privileges (may work)
  • Use USER: 1000 in the Dockerfile, before the entrypoint (unlikely to work)

Thanks !
@dperson dperson self-assigned this Nov 15, 2018
@dperson
Copy link
Owner

dperson commented Nov 15, 2018

The ports that it listens on require root or somehow adding permissions (as you mentioned). I currently don't have any plans to try to figure out how to get it to run without root.

Docker support ID mapping so that root in the container isn't root outside the container, which should take care of your concerns for both this container and the rest that you use.

@dperson dperson closed this as completed Nov 15, 2018
@qdm12
Copy link
Author

qdm12 commented Nov 16, 2018

Hi and thanks for your quick reply!

I did not know about this ID mapping feature, that's great! For others interested here is the documentation for ID mapping

On the other hand, it would still be better to run as non root inside the container in case it gets compromised. I will try to do a pull request sometime.

One last question: which super user permissions do you think are needed at runtime except the low port binding (which could be changed to a high port with Docker port mapping)? Thanks!

@dperson
Copy link
Owner

dperson commented Nov 16, 2018

I have no idea, which is part of the reason that I haven't ever tried.

@alexhaydock
Copy link

The ports that it listens on require root or somehow adding permissions (as you mentioned). I currently don't have any plans to try to figure out how to get it to run without root.

For what it's worth, this can be worked around with a line like this inside smb.conf:

smb ports = 2445 2139

Then in the docker run command you can map the regular ports like this:

-p 445:2445 -p 139:2139

Or in a Docker Compose file:

    ports:
      - 139:2139
      - 445:2445

I have a forked version of this container that I run under a non-root UID/GID inside the container, and can even run with --cap-drop=ALL.

Unfortunately it means the entrypoint script doesn't work as a lot of its functions require root, so I am essentially just mounting a smb.conf into the container. I'll try and sanitize it of any private info and post my version somewhere.

@alexhaydock
Copy link

One last question: which super user permissions do you think are needed at runtime except the low port binding

Missed this in my last reply but (based on my experience getting this to work) none, except binding ports <1024. Which, as you say, can be fixed with port mapping (my smb.conf snippet above may help).

@qdm12
Copy link
Author

qdm12 commented Nov 17, 2018
edited
Loading

Thanks for the help!

You just said the entrypoint script requires root for a lot of things, so it's not just low port bindings right?

EDIT: I guess en entrypoint mostly chmod things and replaces lines in smb.conf so a smb.conf by itself should work as you pointed out.

@alexhaydock
Copy link

Thanks for the help!

You just said the entrypoint script requires root for a lot of things, so it's not just low port bindings right?

EDIT: I guess en entrypoint mostly chmod things and replaces lines in smb.conf so a smb.conf by itself should work as you pointed out.

Ah, true, sorry for the confusion. Samba itself needs root for nothing other than the port bindings. Using this container directly (particularly the entrypoint script) does.

Since I'm not using the entrypoint script it might be a stretch to even call my version of this a fork rather than simply just Samba in a container, but what I essentially did was use @dperson's container in it's standard (root) config because the command line flags really make it wonderfully easy to get Samba running.

Then when I had it running nicely, I just transplanted the smb.conf file from it into a non-root container that basically just has Samba in it.

@qdm12
Copy link
Author

qdm12 commented Nov 17, 2018
edited
Loading

Hi there,

Yes that's what I was actually doing now. I will try to dig in the entrypoint to make it root and non root friendly and have samba bind on port 8445.

That way you could just run this container with --user="$UID" -p 445:8445/tcp to run without root. I'll do a PR sometime hopefully.

An extra thing doable is to set low port binding cap to samba binary so it can bind on 445 even without root.

@MarvAmBass MarvAmBass mentioned this issue Apr 20, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dperson dperson

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dperson @alexhaydock @qdm12