From 94419c1a2f6159677d9c6a91f38c58b70b97b0e5 Mon Sep 17 00:00:00 2001 From: simonmicro Date: Sat, 8 Nov 2025 12:56:11 +0100 Subject: [PATCH 1/6] Added more permission hardening Signed-off-by: simonmicro --- docker/docker-py3-kms-minimal/Dockerfile | 7 +++++++ docker/docker-py3-kms/Dockerfile | 7 +++++++ docker/entrypoint.py | 20 +++++++++++++------- 3 files changed, 27 insertions(+), 7 deletions(-) diff --git a/docker/docker-py3-kms-minimal/Dockerfile b/docker/docker-py3-kms-minimal/Dockerfile index a2d0df9..765be55 100644 --- a/docker/docker-py3-kms-minimal/Dockerfile +++ b/docker/docker-py3-kms-minimal/Dockerfile @@ -35,6 +35,13 @@ COPY docker/healthcheck.py /usr/bin/healthcheck.py COPY docker/start.py /usr/bin/start.py RUN chmod 555 /usr/bin/entrypoint.py /usr/bin/healthcheck.py /usr/bin/start.py +# Additional permission hardening: All files read-only for the executing user +RUN chown root: -R /home/py-kms && \ + chmod 444 -R /home/py-kms && \ + chown py-kms: /home/py-kms && \ + chmod 700 /home/py-kms && \ + find /home/py-kms -type d -print -exec chmod +x {} ';' + WORKDIR /home/py-kms EXPOSE ${PORT}/tcp diff --git a/docker/docker-py3-kms/Dockerfile b/docker/docker-py3-kms/Dockerfile index 16b3ab5..8ab1531 100644 --- a/docker/docker-py3-kms/Dockerfile +++ b/docker/docker-py3-kms/Dockerfile @@ -41,6 +41,13 @@ COPY docker/healthcheck.py /usr/bin/healthcheck.py COPY docker/start.py /usr/bin/start.py RUN chmod 555 /usr/bin/entrypoint.py /usr/bin/healthcheck.py /usr/bin/start.py +# Additional permission hardening: All files read-only for the executing user +RUN chown root: -R /home/py-kms && \ + chmod 444 -R /home/py-kms && \ + chown py-kms: /home/py-kms && \ + chmod 700 /home/py-kms && \ + find /home/py-kms -type d -print -exec chmod +x {} ';' + # Web-interface specifics COPY LICENSE /LICENSE RUN echo "$BUILD_COMMIT" > /VERSION && echo "$BUILD_BRANCH" >> /VERSION diff --git a/docker/entrypoint.py b/docker/entrypoint.py index 8035cd0..80fb347 100755 --- a/docker/entrypoint.py +++ b/docker/entrypoint.py @@ -25,29 +25,35 @@ def change_uid_grp(logger): new_gid = int(os.getenv('GID', str(gid))) new_uid = int(os.getenv('UID', str(uid))) os.chown("/home/py-kms", new_uid, new_gid) - os.chown("/usr/bin/start.py", new_uid, new_gid) + os.chmod("/home/py-kms", 0o700) + os.chmod("/usr/bin/start.py", 0o555) # allow execution by non-root users if os.path.isdir(dbPath): # Corret permissions recursively, as to access the database file, also its parent folder must be accessible - logger.debug(f'Correcting owner permissions on {dbPath}.') + logger.debug(f'Correcting owner permissions on {dbPath}') os.chown(dbPath, new_uid, new_gid) + os.chmod(dbPath, 0o700) # executable bit on dirs to allow interaction for root, dirs, files in os.walk(dbPath): for dName in dirs: dPath = os.path.join(root, dName) - logger.debug(f'Correcting owner permissions on {dPath}.') + logger.debug(f'Correcting owner permissions on {dPath}') os.chown(dPath, new_uid, new_gid) + os.chmod(dPath, 0o700) # executable bit on dirs to allow interaction for fName in files: fPath = os.path.join(root, fName) - logger.debug(f'Correcting owner permissions on {fPath}.') + logger.debug(f'Correcting owner permissions on {fPath}') os.chown(fPath, new_uid, new_gid) + os.chmod(fPath, 0o600) logger.debug(subprocess.check_output(['ls', '-la', dbPath]).decode()) + else: + logger.error(f'Database path {dbPath} is not a directory, will not correct owner permissions.') if 'LOGFILE' in os.environ and os.path.exists(os.environ['LOGFILE']): # Oh, the user also wants a custom log file -> make sure start.py can access it by setting the correct permissions (777) os.chmod(os.environ['LOGFILE'], 0o777) logger.error(str(subprocess.check_output(['ls', '-la', os.environ['LOGFILE']]))) - logger.info("Setting gid to '%s'." % str(new_gid)) + # Drop actual permissions + logger.info(f"Setting gid to {new_gid}") os.setgid(new_gid) - - logger.info("Setting uid to '%s'." % str(new_uid)) + logger.info(f"Setting uid to {new_uid}") os.setuid(new_uid) def change_tz(logger): From c86f24382972ee2de7c2a38c20bb680d9e08b779 Mon Sep 17 00:00:00 2001 From: simonmicro Date: Sat, 8 Nov 2025 12:56:24 +0100 Subject: [PATCH 2/6] Dependency updates Signed-off-by: simonmicro --- docker/docker-py3-kms-minimal/Dockerfile | 4 ++-- docker/docker-py3-kms/Dockerfile | 4 ++-- docker/docker-py3-kms/requirements.txt | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docker/docker-py3-kms-minimal/Dockerfile b/docker/docker-py3-kms-minimal/Dockerfile index 765be55..69bd8d2 100644 --- a/docker/docker-py3-kms-minimal/Dockerfile +++ b/docker/docker-py3-kms-minimal/Dockerfile @@ -1,5 +1,5 @@ # This is a minimized version from docker/docker-py3-kms/Dockerfile without SQLite support to further reduce image size -FROM alpine:3.15 +FROM alpine:3.22 ENV IP :: ENV DUALSTACK 1 @@ -23,7 +23,7 @@ bash \ ca-certificates \ shadow \ tzdata \ - && pip3 install --no-cache-dir -r /home/py-kms/requirements.txt \ + && pip3 install --break-system-packages --no-cache-dir -r /home/py-kms/requirements.txt \ && adduser -S py-kms -G users -s /bin/bash \ && chown py-kms:users /home/py-kms \ # Fix undefined timezone, in case the user did not mount the /etc/localtime diff --git a/docker/docker-py3-kms/Dockerfile b/docker/docker-py3-kms/Dockerfile index 8ab1531..85c6e10 100644 --- a/docker/docker-py3-kms/Dockerfile +++ b/docker/docker-py3-kms/Dockerfile @@ -1,5 +1,5 @@ # Switch to the target image -FROM alpine:3.15 +FROM alpine:3.22 ARG BUILD_COMMIT=unknown ARG BUILD_BRANCH=unknown @@ -28,7 +28,7 @@ RUN apk add --no-cache --update \ ca-certificates \ tzdata \ shadow \ - && pip3 install --no-cache-dir -r /home/py-kms/requirements.txt \ + && pip3 install --break-system-packages --no-cache-dir -r /home/py-kms/requirements.txt \ && mkdir /db/ \ && adduser -S py-kms -G users -s /bin/bash \ && chown py-kms:users /home/py-kms \ diff --git a/docker/docker-py3-kms/requirements.txt b/docker/docker-py3-kms/requirements.txt index 3210657..14b778f 100644 --- a/docker/docker-py3-kms/requirements.txt +++ b/docker/docker-py3-kms/requirements.txt @@ -1,5 +1,5 @@ -dnspython==2.6.1 -tzlocal==4.2 +dnspython==2.8.0 +tzlocal==5.3.1 -Flask==2.3.2 -gunicorn==22.0.0 \ No newline at end of file +Flask==3.1.2 +gunicorn==23.0.0 \ No newline at end of file From 88b5bb47c640b833e7a96f30e719048eaed36630 Mon Sep 17 00:00:00 2001 From: simonmicro Date: Sat, 8 Nov 2025 13:00:55 +0100 Subject: [PATCH 3/6] Updated all workflow jobs Signed-off-by: simonmicro --- .github/workflows/bake_to_latest.yml | 10 +++++----- .github/workflows/bake_to_next.yml | 10 +++++----- .github/workflows/bake_to_test.yml | 12 ++++++------ 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/bake_to_latest.yml b/.github/workflows/bake_to_latest.yml index c5c0cba..e15096f 100644 --- a/.github/workflows/bake_to_latest.yml +++ b/.github/workflows/bake_to_latest.yml @@ -14,13 +14,13 @@ jobs: contents: read steps: - name: Checkout - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v5 - name: Set up QEMU - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@v3 with: platforms: all - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1.6.0 + uses: docker/setup-buildx-action@v3 - name: Login to DockerHub uses: docker/login-action@v1.10.0 with: @@ -33,7 +33,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v6 with: context: . file: ./docker/docker-py3-kms/Dockerfile @@ -44,7 +44,7 @@ jobs: BUILD_COMMIT=${{ github.sha }} BUILD_BRANCH=${{ github.ref_name }} - name: Build - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v6 with: context: . file: ./docker/docker-py3-kms-minimal/Dockerfile diff --git a/.github/workflows/bake_to_next.yml b/.github/workflows/bake_to_next.yml index f605731..481095a 100644 --- a/.github/workflows/bake_to_next.yml +++ b/.github/workflows/bake_to_next.yml @@ -14,13 +14,13 @@ jobs: contents: read steps: - name: Checkout - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v5 - name: Set up QEMU - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@v3 with: platforms: all - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1.6.0 + uses: docker/setup-buildx-action@v3 - name: Login to DockerHub uses: docker/login-action@v1.10.0 with: @@ -33,7 +33,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v6 with: context: . file: ./docker/docker-py3-kms/Dockerfile @@ -44,7 +44,7 @@ jobs: BUILD_COMMIT=${{ github.sha }} BUILD_BRANCH=${{ github.ref_name }} - name: Build - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v6 with: context: . file: ./docker/docker-py3-kms-minimal/Dockerfile diff --git a/.github/workflows/bake_to_test.yml b/.github/workflows/bake_to_test.yml index 2790ba4..1e1878e 100644 --- a/.github/workflows/bake_to_test.yml +++ b/.github/workflows/bake_to_test.yml @@ -9,15 +9,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v5 - name: Set up QEMU - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@v3 with: platforms: all - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1.6.0 + uses: docker/setup-buildx-action@v3 - name: Build - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v6 with: context: . file: ./docker/docker-py3-kms/Dockerfile @@ -27,7 +27,7 @@ jobs: BUILD_COMMIT=${{ github.sha }} BUILD_BRANCH=${{ github.ref_name }} - name: Build - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v6 with: context: . file: ./docker/docker-py3-kms-minimal/Dockerfile @@ -35,4 +35,4 @@ jobs: push: false build-args: | BUILD_COMMIT=${{ github.sha }} - BUILD_BRANCH=${{ github.ref_name }} \ No newline at end of file + BUILD_BRANCH=${{ github.ref_name }} From fc4f6b37e010fb9d3fb13fcc963883334a01c6bc Mon Sep 17 00:00:00 2001 From: simonmicro Date: Sat, 8 Nov 2025 13:04:01 +0100 Subject: [PATCH 4/6] New job labels Signed-off-by: simonmicro --- .github/workflows/bake_to_latest.yml | 4 ++-- .github/workflows/bake_to_next.yml | 4 ++-- .github/workflows/bake_to_test.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/bake_to_latest.yml b/.github/workflows/bake_to_latest.yml index e15096f..73a8c25 100644 --- a/.github/workflows/bake_to_latest.yml +++ b/.github/workflows/bake_to_latest.yml @@ -32,7 +32,7 @@ jobs: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Build + - name: Build (full) uses: docker/build-push-action@v6 with: context: . @@ -43,7 +43,7 @@ jobs: build-args: | BUILD_COMMIT=${{ github.sha }} BUILD_BRANCH=${{ github.ref_name }} - - name: Build + - name: Build (minimal) uses: docker/build-push-action@v6 with: context: . diff --git a/.github/workflows/bake_to_next.yml b/.github/workflows/bake_to_next.yml index 481095a..99032e0 100644 --- a/.github/workflows/bake_to_next.yml +++ b/.github/workflows/bake_to_next.yml @@ -32,7 +32,7 @@ jobs: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Build + - name: Build (full) uses: docker/build-push-action@v6 with: context: . @@ -43,7 +43,7 @@ jobs: build-args: | BUILD_COMMIT=${{ github.sha }} BUILD_BRANCH=${{ github.ref_name }} - - name: Build + - name: Build (minimal) uses: docker/build-push-action@v6 with: context: . diff --git a/.github/workflows/bake_to_test.yml b/.github/workflows/bake_to_test.yml index 1e1878e..72fc196 100644 --- a/.github/workflows/bake_to_test.yml +++ b/.github/workflows/bake_to_test.yml @@ -16,7 +16,7 @@ jobs: platforms: all - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Build + - name: Build (full) uses: docker/build-push-action@v6 with: context: . @@ -26,7 +26,7 @@ jobs: build-args: | BUILD_COMMIT=${{ github.sha }} BUILD_BRANCH=${{ github.ref_name }} - - name: Build + - name: Build (minimal) uses: docker/build-push-action@v6 with: context: . From 7098a455c3dff5a52fd443325daece0e1a07dcd4 Mon Sep 17 00:00:00 2001 From: simonmicro Date: Sat, 8 Nov 2025 13:08:00 +0100 Subject: [PATCH 5/6] Typo Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- docker/entrypoint.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/entrypoint.py b/docker/entrypoint.py index 80fb347..0323a85 100755 --- a/docker/entrypoint.py +++ b/docker/entrypoint.py @@ -28,7 +28,7 @@ def change_uid_grp(logger): os.chmod("/home/py-kms", 0o700) os.chmod("/usr/bin/start.py", 0o555) # allow execution by non-root users if os.path.isdir(dbPath): - # Corret permissions recursively, as to access the database file, also its parent folder must be accessible + # Correct permissions recursively, as to access the database file, also its parent folder must be accessible logger.debug(f'Correcting owner permissions on {dbPath}') os.chown(dbPath, new_uid, new_gid) os.chmod(dbPath, 0o700) # executable bit on dirs to allow interaction From af78d24b94074027d272bc2944586d3d5b030712 Mon Sep 17 00:00:00 2001 From: simonmicro Date: Sat, 8 Nov 2025 13:08:32 +0100 Subject: [PATCH 6/6] As the code continues regardless, only show a warning Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- docker/entrypoint.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/entrypoint.py b/docker/entrypoint.py index 0323a85..b4f77ea 100755 --- a/docker/entrypoint.py +++ b/docker/entrypoint.py @@ -45,7 +45,7 @@ def change_uid_grp(logger): os.chmod(fPath, 0o600) logger.debug(subprocess.check_output(['ls', '-la', dbPath]).decode()) else: - logger.error(f'Database path {dbPath} is not a directory, will not correct owner permissions.') + logger.warning(f'Database path {dbPath} is not a directory, will not correct owner permissions.') if 'LOGFILE' in os.environ and os.path.exists(os.environ['LOGFILE']): # Oh, the user also wants a custom log file -> make sure start.py can access it by setting the correct permissions (777) os.chmod(os.environ['LOGFILE'], 0o777)