mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-24 04:57:00 +01:00
Code Issues Actions 10 Packages Projects Releases Wiki Activity

Change root user check to warning due to container run times (#328)

Browse source 
Fixes #327 - In container run times, the default is to run as root. This may be user with virtualised containers or even to just smooth the "first run" process rather than requiring a user for the process and volumes.
This commit is contained in:
Firstyear 2020-10-30 11:12:06 +10:00 committed by GitHub
parent 1a57aa9ea0
commit dc319a98ac
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 33 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
kanidm_book/src/installing_the_server.md
View file

@ -61,3 +61,33 @@ Now we can run the server so that it can accept connections. This defaults to us
If you are interested to run our latest code from development, you can do this by changing the If you are interested to run our latest code from development, you can do this by changing the
docker tag to `kanidm/server:devel`. docker tag to `kanidm/server:devel`.
# Running as non-root in docker
By default the above commands will run kanidmd as "root" in the container to make the onboarding
smoother. However, this is not recommended in production for security reasons.
You should allocate a uidnumber/gidnumber for the service to run as that is unique on your host
system. In this example we use `1000:1000`
You will need to adjust the permissions on the /data volume to ensure that the process
can manage the files. Kanidm requires the ability to write to the /data directory to create
the sqlite files. This uid/gidnumber should match the above. You could consider the following
changes to help isolate these changes:
docker run --rm -i -t -v kanidmd:/data opensuse/leap:latest /bin/sh
# mkdir /data/db/
# chown 1000:1000 /data/db/
# chmod 750 /data/db/
# sed -i -e "s/db_path.*/db_path = \"\/data\/db\/kanidm.db\"/g" /data/server.toml
# chown root:root /data/server.toml
# chmod 644 /data/server.toml
You can then use this with run the kanidm server in docker with a user.
docker run --rm -i -t -u 1000:1000 -v kanidmd:/data kanidm/server:latest /sbin/kanidmd ...
> **HINT**
> You need to use the uidnumber/gidnumber to the `-u` argument, as the container can't resolve
> usernames from the host system.

5
kanidmd/src/server/main.rs
View file

@ -162,8 +162,9 @@ async fn main() {
let cegid = get_effective_gid(); let cegid = get_effective_gid();
if cuid == 0 || ceuid == 0 || cgid == 0 || cegid == 0 { if cuid == 0 || ceuid == 0 || cgid == 0 || cegid == 0 {
eprintln!("ERROR: Refusing to run - this process must not operate as root."); eprintln!("WARNING: This is running as uid == 0 (root) which may be a security risk.");
std::process::exit(1); // eprintln!("ERROR: Refusing to run - this process must not operate as root.");
// std::process::exit(1);
} }
if cuid != ceuid || cgid != cegid { if cuid != ceuid || cgid != cegid {