Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Quorum Data Directory Permission reverts back to 'root:root' ownership #1567

Closed
jeremy-soh-partior opened this issue Nov 25, 2022 · 1 comment
Closed

Quorum Data Directory Permission reverts back to 'root:root' ownership #1567

jeremy-soh-partior opened this issue Nov 25, 2022 · 1 comment

Comments

@jeremy-soh-partior
Copy link

System information

Geth version: Version: 1.10.3-stable; Git Commit: f4dd848e6a5bc38c5d70da1a616dc4c75f8ad93a; Quorum Version: 22.7.3; Architecture: amd64; Network Id: 1337; Go Version: go1.16.15; Operating System: linux; GOPATH=; GOROOT=go
OS & Version: Red Hat Enterprise Linux release 9.0 (Plow) - Linux version 5.15.65+ (builder@localhost) (Chromium OS 14.0_pre445002_p20220217-r2 clang version 14.0.0 (/var/tmp/portage/sys-devel/llvm-14.0_pre445002_p20220217-r2/work/llvm-14.0_pre445002_p20220217/clang 18308e171b5b1dd99627a4d88c7d6c5ff21b8c96), LLD 14.0.0) #1 SMP Sat Nov 5 09:06:56 UTC 2022
Commit hash : f4dd848e6a5bc38c5d70da1a616dc4c75f8ad93a

Expected behaviour

As part of the docker image security hardening based on industry best practices, dockerfile drops privileges of root and runs in the context of a user. For example:

RUN groupadd -r partior && useradd -r -g partior partior
RUN mkdir /home/partior /etc/quorum /etc/quorum/qdata /etc/quorum/qdata/dd /etc/quorum/genesis && \
    chown partior:partior -R /home/partior /etc/quorum /etc/quorum/qdata /etc/quorum/qdata/dd /etc/quorum/genesis && \
USER partior:partior

It is expected that the user 'partior' would be able to access all the necessary directories during operation.

Actual behaviour

Encountered permission issues with the following directory:

  • /etc/quorum/qdata/**

While most folders within /etc/quorum/** retain the Dockerfile defined ownership, further investigations indicated that any directory under the/etc/quorum/qdata/ undergoes ownership change back to root:root despite initial Dockerfile configuration.

Stick bit does not help. (i.e. chmod +t -R /etc/quorum/qdata)

Steps to reproduce the behaviour

  1. Dockerfile to drop privileges by adding following directives:
RUN groupadd -r someuser && useradd -r -g someuser someuser
RUN mkdir /home/someuser /etc/quorum /etc/quorum/qdata /etc/quorum/qdata/dd /etc/quorum/genesis && \
    chown partior:partior -R /home/partior /etc/quorum /etc/quorum/qdata /etc/quorum/qdata/dd /etc/quorum/genesis
USER someuser:someuser
  1. During Quorum node run-time, shell into the container and perform ls -alh /etc/quorum/qdata. You should see that the permission reverted to root:root.

Backtrace

N/A
@antonydenyer
Copy link
Contributor

You can change the directory you use for data and or mount it with different permissions.

It's been discussed before but won't be changed.

ethereum/go-ethereum#24644

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@antonydenyer @jeremy-soh-partior