-
Notifications
You must be signed in to change notification settings - Fork 40.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Output a warning from the launch script if the application will run as root #10275
Output a warning from the launch script if the application will run as root #10275
Conversation
if [[ -z "{{runUser}}" ]]; then | ||
# Determine the user to run as if we are root | ||
# shellcheck disable=SC2012 | ||
[[ $(id -u) == "0" ]] && run_user=$(ls -ld "$jarfile" | awk '{print $3}') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if root is the owner of the jar file? Might be good to print a warning if someone configures the run as user to root?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought the same but I didn't want to address this in this PR. As a running an program as root is a potential security problem. We could issues an warning or abort the script. But this would be breaking change for existing users who updated.
I see to possible solutions:
- Print a simple warning while starting the program.
- Refuse to start the program if it would run as root unless the user set
runUser=root
explicitly.
WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think a warning is the way to go (as you stated it might break something otherwise). I think the Apache Webserver does the same (probably a couple of others as well)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, I will update the PR but tomorrow. It is already later for me... Ok?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not in the position to (and I never would) demand anything from you :) plus we're in the same time zone ;)
fi | ||
|
||
# Issue an warning if the application will run as root | ||
[[ $(id -u) == "0" ]] && { echoRed "Application is running as root (UID 0)."; } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now also a warning will be printed if the effective user at runtime is root.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR, particularly as it's your first contribution to Spring Boot. This looks like a good addition to make. I've left a few, mostly minor, comments. Would you mind taking a look and, if you agree, updating the PR?
@@ -780,6 +780,12 @@ for Gradle and to `${project.name}` for Maven. | |||
|The default value for the name of the pid file in `PID_FOLDER`. Only valid for an | |||
`init.d` service. | |||
|
|||
|`runUser` | |||
| The user under which the application will run under at runtime. If not set |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No need for the second "under" in this sentence
@@ -780,6 +780,12 @@ for Gradle and to `${project.name}` for Maven. | |||
|The default value for the name of the pid file in `PID_FOLDER`. Only valid for an | |||
`init.d` service. | |||
|
|||
|`runUser` | |||
| The user under which the application will run under at runtime. If not set | |||
the application will run under the id of user who runs the script. If |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add "the" so it read "the id of the user"?
fi | ||
|
||
# Issue an warning if the application will run as root | ||
[[ $(id -u) == "0" ]] && { echoRed "Application is running as root (UID 0)."; } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should be echoYellow
rather than echoRed
. The latter is only used in the script when there's an error and the script will exit with a non-zero exit code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And maybe also re-phrase to something like
"[WARN] Application is running as root (UID 0). This is considered insecure."
to emphasize that it is a warning and not just a yellow colored information :)
Also, shouldn't this be:
[[ $(id -u $run_user) == "0" ]] ...
?
I applied all suggested changes. |
Is there anything that needs still to be done? |
No, I don't think so. Thanks again for the PR. |
fi | ||
|
||
# Issue an warning if the application will run as root | ||
[[ $(id -u) == "0" ]] && { echoYellow "[WARN] Application is running as root (UID 0). This is considered insecure."; } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be $(id -u $run_user)
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well spotted, @kartoffelsup. I think you're right. Thank you.
That raises the issue of adding some tests for this which I overlook when I said that I didn't think that there was anything left to be done.
@obfischer do you have the time to look at adding some tests please? I'm happy to guide you through the process as needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, of course. Which tests are missing from your perspective?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple of tests would be good:
- Verify that the warning is generated when the application will run as root
- Verify that the warning is not generated when the application will run as another user
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the correct module for such tests will be spring-boot-launch-script-tests
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that's right. Thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will start now with it.
@obfischer Any luck with writing those tests? |
Not until now. I have a hugh workload until the end of the month. |
Understood. Thanks. There's no major rush from our perspective. |
Hi @wilkinsona, I am trying to run the integration tests via Any idea? |
It has been quite some time since I set Docker up on my Mac. Does the Docker Toolbox installation available here not work? |
To stupid to Google. I will check it out. |
The testsetup is now running on my machine. |
@wilkinsona I updated the existing tests. Currently there is still one missing test I hope to write it during the next days. |
@obfischer Thanks for the updates |
Hi @wilkinsona I added all positive and negative tests and eleminated found bugs. Could you please review them if you have time. |
Hi @wilkinsona is there a chance that this PR will be accepted for the 1.5 branch? And is it planned to have a new 1.5.x release in the next time? Please let me know if something could be done by me. |
No, sorry. Given that this is an enhancement, it will have to go into 2.0 at the earliest. I’ll target it at 2.0.0.RC1 and see what we can do. |
Thanks. Sorry, but I don't find that argument sufficiently compelling to merge this. The proposal leaves users with multiple ways of doing the same thing and that's something that we try to avoid. We already document some advice on securing a jar so that it cannot be manipulated or replaced. If you prefer your approach to the documented approach, I'd recommend that you consider building your jar with a custom script. |
Ok. |
@wilkinsona will the warning be added? |
Would be nice to have a least a warning. |
@obfischer Are you happy for us to extract just that part of the proposed changes from this PR? |
Yes, I will do that. Update this PR or should I open a new one? |
Thanks. Let's use this one. I've reopened it. |
@obfischer Are you still interested in slimming this PR down to the piece that logs the warning? |
Hi @wilkinsona, yes. Give me a last chance until next Monday. It is a official holiday here in Germany. |
Hi @wilkinsona I changed my PR as you requested. |
Thanks very much. |
@obfischer Thank you very much for making your first contribution to Spring Boot. The proposed changes have now been merged into master. |
* gh-10275: Polish "Issue a warning from launch script when app will run as root" Issue a warning from launch script when app will run as root
Thank you for your support! |
The user used in the launch script to run the application is now configurable if needed. Closes #10273.