New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revert "Dockerfile: Support socat use cases (#13208)" #13369
Conversation
This reverts commit ff50274.
Codecov Report
@@ Coverage Diff @@
## master #13369 +/- ##
==========================================
+ Coverage 42.14% 42.16% +0.02%
==========================================
Files 690 690
Lines 75871 75888 +17
==========================================
+ Hits 31975 32001 +26
+ Misses 38668 38648 -20
- Partials 5228 5239 +11
Continue to review full report at Codecov.
|
I'm not sure what one can achieve with |
Ack the container space is a red-hot mess in terms of security, but it is what it is, and is improving. However in the mean time that mess does leak its pollution into applications. Again there is limited use in whining, and we just have to work around these things until the situation improves. Apologies for not being more specific about the exact use case, but the detail seemed extraneous to:
The issue arises when mounting WireGuard in a network name space, and then running the container within that namespace. Gitea (currently) cannot publish to both socket and port, and thus socat in the container is a workaround for that Gitea behavior, and supports running the Gitea container in a WireGuarded network namespace. Of course we work around all this with own Gitea container, but we prefer pushing improvements upstream. Having given you the detail we leave it in your court. |
@bbros-dev Your problem is quite limited to a very specific case. You can easily create your own image freely by creating a repository with only a Dockerfile that contain.
and publish it to the registry of your choice (docker hub, quay, ...) that will build it for you. I known that it should be a very complicated attack to access the socat binary but I feel we shouldn't let this possibility for every user since they don't need it and since it would ease the process after. We can find solution to your problem but it shouldn't possibly impact every users. For root container, we start to offer a rootless image and I would personally try to reduce the number of binary we need (for security but also maintenance of multiple version compatibility) I hope you will not take it personally because is is a logic we apply in most cases. Ex: We try not to implement each rendering of file possible but make it an optional configuration if possible. |
Yup, unfortunately securing containers is not trivial.... so insecure by default seems to be the Docker world default.
Yes, as we said we do.
Yes it seems quite peculiar to be relaxed about have bash in the container but object to socat. Perhaps a middle ground is:
If you wanted to it would be to allow both http and socket connections. Right now its either/or, but not both. Unfortunately we can't commit to making that change, so this was the next best thing.
Of course not. |
This reverts commit ff50274.
I think we shouldn't pack
socat
binary by default in the gitea docker image.It is not a big threat but it is better to not offer some leverage to help an attacker as it can be used for two-way shell and data exfiltration.
If some users want it for their very specific use case they can easily do so and do what is needed to limit the risk knowingly.
For example: https://gtfobins.github.io/gtfobins/socat/