Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PermissionError: [Errno 13] Permission denied: '/zap/wrk/ #6993

Closed
jamesregis opened this issue Dec 25, 2021 · 11 comments
Closed

PermissionError: [Errno 13] Permission denied: '/zap/wrk/ #6993

jamesregis opened this issue Dec 25, 2021 · 11 comments
Labels
Docker

Comments

@jamesregis
Copy link

jamesregis commented Dec 25, 2021
edited by thc202

Describe the bug
The '/zap/wrk/' folder when mounted to docker container is unwritable by user zap thus we are unable to write reports in this directory.

To Reproduce
Steps to reproduce the behavior:

  1. Go to https://www.zaproxy.org/docs/docker/baseline-scan/
  2. Run the command : docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py \ -t https://www.example.com -g gen.conf -r testreport.html
  3. Scroll down the logs
  4. See error :
2021-12-25 17:06:54,547 Could not find custom hooks file at /home/zap/.zap_hooks.py 
Total of 6 URLs
ERROR [Errno 13] Permission denied: '/zap/wrk/gen.conf'
2021-12-25 17:07:52,123 I/O error: [Errno 13] Permission denied: '/zap/wrk/gen.conf'
Traceback (most recent call last):
  File "/zap/zap-full-scan.py", line 403, in main
    with open(base_dir + generate, 'w') as f:
PermissionError: [Errno 13] Permission denied: '/zap/wrk/gen.conf'
Found Java version 11.0.11

Running container content

[root@student-10 OWASP]# docker exec -ti custom-owasp bash
zap@6d3e3f157499:/zap$ ls -ltr
total 5668
-rwxr-xr-x. 1 zap  zap     4175 Jan  2  1970 zap.sh
-rw-r--r--. 1 zap  zap   123778 Jan  2  1970 zap.ico
-rw-r--r--. 1 zap  zap      200 Jan  2  1970 zap.bat
-rw-r--r--. 1 zap  zap  5480951 Jan  2  1970 zap-2.11.1.jar
-rw-r--r--. 1 zap  zap     2211 Jan  2  1970 README
-rw-r--r--. 1 zap  zap    23189 Dec 16 16:35 zap_common.py
-rwxr-xr-x. 1 zap  zap      213 Dec 16 16:35 zap-x.sh
-rwxr-xr-x. 1 zap  zap     2803 Dec 16 16:35 zap-webswing.sh
-rwxr-xr-x. 1 zap  zap    20130 Dec 16 16:35 zap-full-scan.py
-rwxr-xr-x. 1 zap  zap    24660 Dec 16 16:35 zap-baseline.py
-rwxr-xr-x. 1 zap  zap    25656 Dec 16 16:35 zap-api-scan.py
-rw-r--r--. 1 zap  zap     5558 Dec 16 16:35 CHANGELOG.md
drwxr-xr-x. 1 zap  zap        6 Dec 16 16:36 lang
drwxr-xr-x. 1 zap  zap        6 Dec 16 16:36 db
drwxr-xr-x. 1 zap  zap        6 Dec 16 16:36 xml
drwxr-xr-x. 1 zap  zap        6 Dec 16 16:36 scripts
drwxr-xr-x. 1 zap  zap        6 Dec 16 16:36 license
drwxr-xr-x. 1 zap  zap        6 Dec 16 16:36 lib
drwxr-xr-x. 1 zap  zap       56 Dec 16 16:38 webswing
-rw-r--r--. 1 zap  zap       18 Dec 16 16:38 container
drwxr-x---. 3 root root      52 Dec 25 16:51 wrk  <------ is owned by root !
drwxr-xr-x. 2 zap  zap       39 Dec 25 17:06 __pycache__
drwxr-xr-x. 1 zap  zap      141 Dec 25 17:07 plugin
-rw-r--r--. 1 zap  zap    52361 Dec 25 17:07 zap.out

Expected behavior
Whe should be able to go in the container and write in /zap/wrk/ folder. Reports should be generated in the mounted folder.

Screenshots
image

Software versions

  • ZAP: docker version (latest) --> 2.11.1
  • Add-on: Name and version [e.g. Passive Scan Rules Alpha v19. https://www.zaproxy.org/faq/how-do-i-see-what-version-of-an-add-on-extension-i-have-installed/]
  • OS: Linux Fedora 35
  • Java: embedded in the container (11.0.11)
  • Browser: N/A

Errors from the zap.log file
pastebin

Additional context
I was using docker and podman

Would you like to help fix this issue?
yes I would like to help.
@jamesregis jamesregis added the bug label Dec 25, 2021
@thc202
Copy link
Member

thc202 commented Dec 27, 2021
edited

I'm not getting that error when running that command (the config and report are created).

@JakobHaggCAB
Copy link

Reproduced this on ubuntu 20.04 as hosting environment. Working as expected on windows host.
Image: sha256:8795269ac00b8c2989d7a1ac37b1ead4aa62b3aaefe62e347c26691a54d17f8e

Did anyone figure out a work-around for this?

@psiinon
Copy link
Member

psiinon commented Feb 18, 2022
edited

Try this:
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable touch /zap/wrk/test.txt

That should create a file called test.txt in your cwd. If it doesnt work then try:
docker run -v $(pwd):/zap/wrk/:rw -t ubuntu:20.04 touch /zap/wrk/test.txt

That will use the image that zal2docker-stable uses.
If that works and the previous one doesnt then theres a problem with our image.
If both fail then you have a more general environment / docker problem.

@JakobHaggCAB
Copy link

First image, owasp/zap2docker-stable, failed with error below. Second image, ubuntu:20.04, succeeded without any problem.

Output:

Digest: sha256:8795269ac00b8c2989d7a1ac37b1ead4aa62b3aaefe62e347c26691a54d17f8e
Status: Downloaded newer image for owasp/zap2docker-stable:latest
touch: cannot touch '/zap/wrk/test.txt': Permission denied

@psiinon
Copy link
Member

psiinon commented Feb 18, 2022

Interesting.
Do you get your current user if you run this:
docker run -v $(pwd):/zap/wrk/:rw -t ubuntu:20.04 echo $USER

And does this work?
docker run -v $(pwd):/zap/wrk/:rw --user root -t ubuntu:20.04 touch /zap/wrk/test.txt

@JakobHaggCAB
Copy link

I did some more testing with help of my private server (also ubuntu 20.04) on which everything worked as expected.

Our not-working servers are Microsoft hosted machines in which we have some limitations/restrictions.
So docker run -v $(pwd):/zap/wrk/:rw -t ubuntu:20.04 echo $USER
Outputs $USER and not a username.
docker run -v $(pwd):/zap/wrk/:rw --user root -t ubuntu:20.04 touch /zap/wrk/test.txt
Works.
And that gives us a workaround :)
docker run -v $(pwd):/zap/wrk/:rw --user root owasp/zap2docker-stable zap-full-scan.py -t <target> -c <config> -r report.html
which now works as expected, but of course isn't preferred.

@psiinon
Copy link
Member

psiinon commented Feb 21, 2022

So .. anyone think we need to do anything here (apart from better docs, which I'm working on) or can we close this now?

@JakobHaggCAB
Copy link

JakobHaggCAB commented Feb 21, 2022
edited by kingthorin

In my mind @jamesregis observation is correct and it would be a lot nicer to make the /zap/wrk/ owned and writable for executing user. But if folder is owned by root for a valid reason then all users should be allowed to write it. Wouldn't running as root break the Principle of Least Privilege?

In file '/zaproxy/zaproxy/blob/main/docker/Dockerfile-live' there is a part where folder permissions are set (92-99). Should /zap/wrk/ be added there? Something like chown zap:zap -R /zap/wrk/ or chmod a=rw- /zap/wrk/?

@psiinon
Copy link
Member

psiinon commented Feb 21, 2022

But /zap/wrk does not (and I think cannot) exist in the docker image - it is only created as a result of mapping a drive to that path via the -v $(pwd):/zap/wrk/:rw part.
Or am I missing something?

@JakobHaggCAB
Copy link

My tests show that it's ok if it exists but mapping it sets the owner to root anyway so that might just swallow other errors for when people forget to map it.

Google indicates that setting a VOLUME does the trick, https://devops.stackexchange.com/questions/4540/how-to-change-the-owner-of-volume-directory-in-dockerfile. But I havn't been able to confirm that.

I'm ok with closing this, since we found a work-around.

@thc202 thc202 removed the bug label Apr 12, 2022
@github-actions
Copy link

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked and limited conversation to collaborators Jul 12, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Docker
Milestone
No milestone
Development

No branches or pull requests
5 participants
@psiinon @thc202 @kingthorin @jamesregis @JakobHaggCAB