Output a warning from the launch script if the application will run as root #10275
Conversation
spring-projects-issues
added
the
status: waiting-for-triage
| if [[ -z "{{runUser}}" ]]; then | ||
| # Determine the user to run as if we are root | ||
| # shellcheck disable=SC2012 | ||
| [[ $(id -u) == "0" ]] && run_user=$(ls -ld "$jarfile" | awk '{print $3}') |
There was a problem hiding this comment.
What if root is the owner of the jar file? Might be good to print a warning if someone configures the run as user to root?
There was a problem hiding this comment.
I thought the same but I didn't want to address this in this PR. As a running an program as root is a potential security problem. We could issues an warning or abort the script. But this would be breaking change for existing users who updated.
I see to possible solutions:
- Print a simple warning while starting the program.
- Refuse to start the program if it would run as root unless the user set
runUser=rootexplicitly.
WDYT?
There was a problem hiding this comment.
I think a warning is the way to go (as you stated it might break something otherwise). I think the Apache Webserver does the same (probably a couple of others as well)
There was a problem hiding this comment.
Ok, I will update the PR but tomorrow. It is already later for me... Ok?
There was a problem hiding this comment.
I'm not in the position to (and I never would) demand anything from you :) plus we're in the same time zone ;)
| fi | ||
|
|
||
| # Issue an warning if the application will run as root | ||
| [[ $(id -u) == "0" ]] && { echoRed "Application is running as root (UID 0)."; } |
There was a problem hiding this comment.
Now also a warning will be printed if the effective user at runtime is root.
| @@ -780,6 +780,12 @@ for Gradle and to `${project.name}` for Maven. | |||
| |The default value for the name of the pid file in `PID_FOLDER`. Only valid for an | |||
| `init.d` service. | |||
|
|
|||
| |`runUser` | |||
| | The user under which the application will run under at runtime. If not set | |||
There was a problem hiding this comment.
No need for the second "under" in this sentence
| @@ -780,6 +780,12 @@ for Gradle and to `${project.name}` for Maven. | |||
| |The default value for the name of the pid file in `PID_FOLDER`. Only valid for an | |||
| `init.d` service. | |||
|
|
|||
| |`runUser` | |||
| | The user under which the application will run under at runtime. If not set | |||
| the application will run under the id of user who runs the script. If | |||
There was a problem hiding this comment.
Add "the" so it read "the id of the user"?
| fi | ||
|
|
||
| # Issue an warning if the application will run as root | ||
| [[ $(id -u) == "0" ]] && { echoRed "Application is running as root (UID 0)."; } |
There was a problem hiding this comment.
I think this should be echoYellow rather than echoRed. The latter is only used in the script when there's an error and the script will exit with a non-zero exit code.
There was a problem hiding this comment.
And maybe also re-phrase to something like
"[WARN] Application is running as root (UID 0). This is considered insecure."
to emphasize that it is a warning and not just a yellow colored information :)
Also, shouldn't this be:
[[ $(id -u $run_user) == "0" ]] ...?
|
I applied all suggested changes. |
|
Is there anything that needs still to be done? |
wilkinsona
added
priority: normal
type: enhancement
|
No, I don't think so. Thanks again for the PR. |
| fi | ||
|
|
||
| # Issue an warning if the application will run as root | ||
| [[ $(id -u) == "0" ]] && { echoYellow "[WARN] Application is running as root (UID 0). This is considered insecure."; } |
There was a problem hiding this comment.
Shouldn't this be $(id -u $run_user)?
There was a problem hiding this comment.
Well spotted, @kartoffelsup. I think you're right. Thank you.
That raises the issue of adding some tests for this which I overlook when I said that I didn't think that there was anything left to be done.
@obfischer do you have the time to look at adding some tests please? I'm happy to guide you through the process as needed.
There was a problem hiding this comment.
Yes, of course. Which tests are missing from your perspective?
There was a problem hiding this comment.
A couple of tests would be good:
- Verify that the warning is generated when the application will run as root
- Verify that the warning is not generated when the application will run as another user
There was a problem hiding this comment.
I think the correct module for such tests will be spring-boot-launch-script-tests?
There was a problem hiding this comment.
I will start now with it.
|
@obfischer Any luck with writing those tests? |
wilkinsona
added
the
status: waiting-for-feedback
|
Not until now. I have a hugh workload until the end of the month. |
|
Understood. Thanks. There's no major rush from our perspective. |
|
Hi @wilkinsona, I am trying to run the integration tests via Any idea? |
|
It has been quite some time since I set Docker up on my Mac. Does the Docker Toolbox installation available here not work? |
|
To stupid to Google. I will check it out. |
|
The testsetup is now running on my machine. |
|
@wilkinsona I updated the existing tests. Currently there is still one missing test I hope to write it during the next days. |
|
@obfischer Thanks for the updates |
|
Hi @wilkinsona I added all positive and negative tests and eleminated found bugs. Could you please review them if you have time. |
|
Hi @wilkinsona is there a chance that this PR will be accepted for the 1.5 branch? And is it planned to have a new 1.5.x release in the next time? Please let me know if something could be done by me. |
wilkinsona
removed
the
status: waiting-for-feedback
|
No, sorry. Given that this is an enhancement, it will have to go into 2.0 at the earliest. I’ll target it at 2.0.0.RC1 and see what we can do. |
|
Thanks. Sorry, but I don't find that argument sufficiently compelling to merge this. The proposal leaves users with multiple ways of doing the same thing and that's something that we try to avoid. We already document some advice on securing a jar so that it cannot be manipulated or replaced. If you prefer your approach to the documented approach, I'd recommend that you consider building your jar with a custom script. |
|
Ok. |
|
@wilkinsona will the warning be added? |
|
Would be nice to have a least a warning. |
|
@obfischer Are you happy for us to extract just that part of the proposed changes from this PR? |
|
Yes, I will do that. Update this PR or should I open a new one? |
|
Thanks. Let's use this one. I've reopened it. |
wilkinsona
added
type: enhancement
|
@obfischer Are you still interested in slimming this PR down to the piece that logs the warning? |
|
Hi @wilkinsona, yes. Give me a last chance until next Monday. It is a official holiday here in Germany. |
|
Hi @wilkinsona I changed my PR as you requested. |
wilkinsona
changed the title
|
Thanks very much. |
wilkinsona
removed
the
status: waiting-for-feedback
|
@obfischer Thank you very much for making your first contribution to Spring Boot. The proposed changes have now been merged into master. |
* gh-10275: Polish "Issue a warning from launch script when app will run as root" Issue a warning from launch script when app will run as root
|
Thank you for your support! |
The user used in the launch script to run the application is now configurable if needed. Closes #10273.