Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Plugin crons and core systemd services stop working with this plugin installed #36

Open
d1ceward opened this issue Oct 17, 2022 · 0 comments · May be fixed by #37
Open

Plugin crons and core systemd services stop working with this plugin installed #36

d1ceward opened this issue Oct 17, 2022 · 0 comments · May be fixed by #37

Comments

@d1ceward
Copy link

d1ceward commented Oct 17, 2022
edited
Loading

Description of problem

After installing this plugin I noticed that all my backup crons created from the dokku-postgres/dokku-redis plugins and the systemd dokku-redeploy/dokku-retire services from dokku itself stopped working.

Steps to Reproduce

  1. Install this plugin
  2. Manually start dokku-retire with systemctl start dokku-retire
  3. Systemd error

Actual Results

Error from journalctl logs for dokku-retire service :

!     User default does not have permissions to run ps:retire
!     Access denied

Expected Results

No error

Environment Information

dokku report output

See report 
-----> uname: Linux hr-karmeliet 5.19.3-arch1-1 #1 SMP PREEMPT_DYNAMIC Sun, 21 Aug 2022 18:55:22 +0000 x86_64 GNU/Linux
-----> memory:
                      total        used        free      shared  buff/cache   available
       Mem:           31929        7913        3768         461       20247       23100
       Swap:          32006         333       31672
-----> docker version:
       Client:
        Version:           20.10.19
        API version:       1.41
        Go version:        go1.19.2
        Git commit:        d85ef84533
        Built:             Sat Oct 15 20:20:02 2022
        OS/Arch:           linux/amd64
        Context:           default
        Experimental:      true

       Server:
        Engine:
         Version:          20.10.17
         API version:      1.41 (minimum version 1.12)
         Go version:       go1.18.3
         Git commit:       a89b84221c
         Built:            Sat Jun 11 23:27:14 2022
         OS/Arch:          linux/amd64
         Experimental:     false
        containerd:
         Version:          v1.6.8
         GitCommit:        9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6.m
        runc:
         Version:          1.1.4
         GitCommit:
        docker-init:
         Version:          0.19.0
         GitCommit:        de40ad0
-----> docker daemon info:
       Client:
        Context:    default
        Debug Mode: true
        Plugins:
         compose: Docker Compose (Docker Inc., 2.11.2)

       Server:
        Containers: 24
         Running: 23
         Paused: 0
         Stopped: 1
        Images: 135
        Server Version: 20.10.17
        Storage Driver: overlay2
         Backing Filesystem: extfs
         Supports d_type: true
         Native Overlay Diff: false
         userxattr: false
        Logging Driver: json-file
        Cgroup Driver: systemd
        Cgroup Version: 2
        Plugins:
         Volume: local
         Network: bridge host ipvlan macvlan null overlay
         Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
        Swarm: inactive
        Runtimes: io.containerd.runtime.v1.linux runc io.containerd.runc.v2
        Default Runtime: runc
        Init Binary: docker-init
        containerd version: 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6.m
        runc version:
        init version: de40ad0
        Security Options:
         seccomp
          Profile: default
         cgroupns
        Kernel Version: 5.19.3-arch1-1
        Operating System: Arch Linux
        OSType: linux
        Architecture: x86_64
        CPUs: 8
        Total Memory: 31.18GiB
        Name: hr-karmeliet
        ID: IUET:JOT3:NGWO:UMSV:JCMN:3ZMO:BDF3:E7TQ:TIY4:JT3D:FSLF:M7VP
        Docker Root Dir: /var/lib/docker
        Debug Mode: false
        Registry: https://index.docker.io/v1/
        Labels:
        Experimental: false
        Insecure Registries:
         127.0.0.0/8
        Live Restore Enabled: false

-----> git version: git version 2.38.0
-----> sigil version: 0.9.0build+bc921b7
-----> herokuish version:
       herokuish: 0.5.37
       buildpacks:
         heroku-buildpack-multi     v1.2.0
         heroku-buildpack-ruby      v244
         heroku-buildpack-nodejs    v198
         heroku-buildpack-clojure   v90
         heroku-buildpack-python    v214
         heroku-buildpack-java      v72
         heroku-buildpack-gradle    v38
         heroku-buildpack-scala     v94
         heroku-buildpack-play      v26
         heroku-buildpack-php       v223
         heroku-buildpack-go        v166
         heroku-buildpack-nginx     v16
         buildpack-null             v3
-----> dokku version: dokku version 0.28.1
-----> plugn version: plugn: 0.12.0build+3a27594
-----> dokku plugins:
         00_dokku-standard    0.28.1 enabled    dokku core standard plugin
         20_events            0.28.1 enabled    dokku core events logging plugin
         acl                  1.5.1 enabled    dokku plugin that can be used to restrict push privileges for app to certain users
         app-json             0.28.1 enabled    dokku core app-json plugin
         apps                 0.28.1 enabled    dokku core apps plugin
         apt                  0.12.0 enabled    Inject deb packages into dokku based on files in project
         builder              0.28.1 enabled    dokku core builder plugin
         builder-dockerfile   0.28.1 enabled    dokku core builder-dockerfile plugin
         builder-herokuish    0.28.1 enabled    dokku core builder-herokuish plugin
         builder-lambda       0.27.0 enabled    dokku core builder-lambda plugin
         builder-null         0.28.1 enabled    dokku core builder-null plugin
         builder-pack         0.28.1 enabled    dokku core builder-pack plugin
         buildpacks           0.28.1 enabled    dokku core buildpacks plugin
         caddy-vhosts         0.28.1 enabled    dokku core caddy-vhosts plugin
         certs                0.28.1 enabled    dokku core certificate management plugin
         checks               0.28.1 enabled    dokku core checks plugin
         common               0.28.1 enabled    dokku core common plugin
         config               0.28.1 enabled    dokku core config plugin
         cron                 0.28.1 enabled    dokku core cron plugin
         docker-options       0.28.1 enabled    dokku core docker-options plugin
         domains              0.28.1 enabled    dokku core domains plugin
         elasticsearch        1.24.0 enabled    dokku elasticsearch service plugin
         enter                0.28.1 enabled    dokku core enter plugin
         git                  0.28.1 enabled    dokku core git plugin
         letsencrypt          0.18.1 enabled    Automated installation of let's encrypt TLS certificates
         logs                 0.28.1 enabled    dokku core logs plugin
         logspout             0.4.0 enabled    sends dokku app stdout to a logging service
         network              0.28.1 enabled    dokku core network plugin
         nginx-vhosts         0.28.1 enabled    dokku core nginx-vhosts plugin
         plugin               0.28.1 enabled    dokku core plugin plugin
         postgres             1.24.0 enabled    dokku postgres service plugin
         proxy                0.28.1 enabled    dokku core proxy plugin
         ps                   0.28.1 enabled    dokku core ps plugin
         redirect             0.7.1 enabled    Plugin for managing application redirects
         redis                1.24.0 enabled    dokku redis service plugin
         registry             0.28.1 enabled    dokku core registry plugin
         repo                 0.28.1 enabled    dokku core repo plugin
         resource             0.28.1 enabled    dokku core resource plugin
         run                  0.28.1 enabled    dokku core run plugin
         scheduler            0.28.1 enabled    dokku core scheduler plugin
         scheduler-docker-local 0.28.1 enabled    dokku core scheduler-docker-local plugin
         scheduler-null       0.28.1 enabled    dokku core scheduler-null plugin
         shell                0.28.1 enabled    dokku core shell plugin
         ssh-keys             0.28.1 enabled    dokku core ssh-keys plugin
         storage              0.28.1 enabled    dokku core storage plugin
         trace                0.28.1 enabled    dokku core trace plugin
         traefik-vhosts       0.28.1 enabled    dokku core traefik-vhosts plugin

dokku acl:report output

=====> example acl information
       Acl allowed users:
       Acl global allow command line:
       Acl global super user:         d1ceward
       Acl global user commands:      help version
       Acl global per app commands:   logs urls ps:rebuild ps:restart ps:stop ps:start

ls -lah ~dokku/.dokkurc/ output

total 16K
drwxr-xr-x  2 dokku dokku 4.0K Oct 17 14:54 .
drwx------ 13 dokku dokku 4.0K Sep  7 11:44 ..
-rw-r--r--  1 dokku dokku  384 Oct 17 14:54 acl
-rw-r--r--  1 dokku dokku   22 Oct 14 16:13 DOKKU_EVENTS

How (deb/make/rpm) and where (AWS, VirtualBox, physical, etc.) was Dokku installed?:

Installed from AUR (Arch linux User Repository) on a physical machine.
PS: I'm the maintainer of the AUR package for dokku

Additional information

Output of failing Dokku commands after running dokku trace on

See output 
+ [[ ps:retire == \v\e\r\s\i\o\n ]]
+ for allowed in $DOKKU_ACL_PER_APP_COMMANDS
+ [[ ps:retire == \l\o\g\s ]]
+ for allowed in $DOKKU_ACL_PER_APP_COMMANDS
+ [[ ps:retire == \u\r\l\s ]]
+ for allowed in $DOKKU_ACL_PER_APP_COMMANDS
+ [[ ps:retire == \p\s\:\r\e\b\u\i\l\d ]]
+ for allowed in $DOKKU_ACL_PER_APP_COMMANDS
+ [[ ps:retire == \p\s\:\r\e\s\t\a\r\t ]]
+ for allowed in $DOKKU_ACL_PER_APP_COMMANDS
+ [[ ps:retire == \p\s\:\s\t\o\p ]]
+ for allowed in $DOKKU_ACL_PER_APP_COMMANDS
+ [[ ps:retire == \p\s\:\s\t\a\r\t ]]
+ for allowed in $DOKKU_ACL_LINK_COMMANDS
+ [[ ps:retire == \r\e\d\i\s\:\l\o\g\s ]]
+ dokku_log_fail 'User default does not have permissions to run ps:retire'
+ declare 'desc=log fail formatter'
+ echo ' !     User default does not have permissions to run ps:retire'
 !     User default does not have permissions to run ps:retire
+ exit 1
+ return 1
+ dokku_log_fail 'Access denied'
+ declare 'desc=log fail formatter'
+ echo ' !     Access denied'
!     Access denied
+ exit 1

Workaround

I noticed that when the commands were launched by systemd or crons the variables $NAME, $SSH_NAME and $SSH_USER were empty with the variable $USER equal to "dokku" but not in other cases (command launched by SSH).

So I added "dokku" in the variable $DOKKU_SUPER_USER and added a piece of code in /home/dokku/.dokkurc/acl that only in this case fill the variable $NAME by "dokku"

if [[ $USER == "dokku" && -z $NAME && -z $SSH_USER && -z $SSH_NAME ]]; then
  export NAME="dokku"
fi

export DOKKU_SUPER_USER="dokku"

But I'm not sure if it opens the door to exploits and prevents another user from becoming a superuser.

Seems to be linked to #22
RealOrangeOne added a commit to RealOrangeOne/dokku-acl that referenced this issue Apr 10, 2023
@RealOrangeOne
Add support for specifying multiple superusers
363b491 
This not only makes running commands manually much simpler, but removes some confusion around "dokku" / "default" user as the superuser (some places need both).

Fixes dokku-community#22
Fixes dokku-community#36
@RealOrangeOne RealOrangeOne linked a pull request Apr 10, 2023 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for specifying multiple superusers RealOrangeOne/dokku-acl
1 participant
@d1ceward