Fix "missing files" #265
Closed
Fix "missing files" #265
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Bnyro
reviewed
Oct 4, 2024
Member
Bnyro
left a comment
There was a problem hiding this comment.
Steve Grubb, security standards expert at Red Hat, says that "nothing should need this. If your container needs this, it’s probably doing something horrible."
Source: https://www.redhat.com/en/blog/secure-your-containers-one-weird-trick
I don't even think that we should optionally include this with a note in the README, since it's never a good idea, not even when you read the warning.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The container only runs without permissions at the moment it runs the uWSGI server, the rest of the script runs with the ownership that Docker is running (by default root unless overriden with "user" directive) so other container managers such as Podman or Docker rootless are (should) not affected by this issue. See this.
Before you go and copypaste this into your compose file, you must know that this solution is UNSAFE and you will give the container FULL ACCESS to your host FILESYSTEM. Also this does not work for systems that actively enforce a SELinux policy. By setting the
DAC_OVERRIDEflag you are giving the privilege to completely override permissions allowing you to modify other files on the host such as the mounted searxng/ folder, doing this will give new files the root ownership:The good and not so flexible solution is to set with "user" directive in your compose file the UID/GID of the ownership where that folder is located, avoiding the use of that devil's flag and continue to use SELinux without adding new policies:
As this solution requires additional config (besides not being possible in some cases) it is omitted as a default solution, at most a note about this could be added on README.
Closes #238
Closes #252
Closes #258
Related #115