Py-KMS-Organization/py-kms
1
0
Fork 0
mirror of https://github.com/Py-KMS-Organization/py-kms.git synced 2025-12-06 07:42:00 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added more permission hardening

Browse source 
Signed-off-by: simonmicro <simon@simonmicro.de>
This commit is contained in:
simonmicro 2025-11-08 12:56:11 +01:00
parent a7db498206
commit 94419c1a2f
No known key found for this signature in database
GPG key ID: 033A4D4CE4E063D6
3 changed files with 27 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
docker/docker-py3-kms-minimal/Dockerfile
View file

@ -35,6 +35,13 @@ COPY docker/healthcheck.py /usr/bin/healthcheck.py
COPY docker/start.py /usr/bin/start.py COPY docker/start.py /usr/bin/start.py
RUN chmod 555 /usr/bin/entrypoint.py /usr/bin/healthcheck.py /usr/bin/start.py RUN chmod 555 /usr/bin/entrypoint.py /usr/bin/healthcheck.py /usr/bin/start.py
# Additional permission hardening: All files read-only for the executing user
RUN chown root: -R /home/py-kms && \
chmod 444 -R /home/py-kms && \
chown py-kms: /home/py-kms && \
chmod 700 /home/py-kms && \
find /home/py-kms -type d -print -exec chmod +x {} ';'
WORKDIR /home/py-kms WORKDIR /home/py-kms
EXPOSE ${PORT}/tcp EXPOSE ${PORT}/tcp

7
docker/docker-py3-kms/Dockerfile
View file

@ -41,6 +41,13 @@ COPY docker/healthcheck.py /usr/bin/healthcheck.py
COPY docker/start.py /usr/bin/start.py COPY docker/start.py /usr/bin/start.py
RUN chmod 555 /usr/bin/entrypoint.py /usr/bin/healthcheck.py /usr/bin/start.py RUN chmod 555 /usr/bin/entrypoint.py /usr/bin/healthcheck.py /usr/bin/start.py
# Additional permission hardening: All files read-only for the executing user
RUN chown root: -R /home/py-kms && \
chmod 444 -R /home/py-kms && \
chown py-kms: /home/py-kms && \
chmod 700 /home/py-kms && \
find /home/py-kms -type d -print -exec chmod +x {} ';'
# Web-interface specifics # Web-interface specifics
COPY LICENSE /LICENSE COPY LICENSE /LICENSE
RUN echo "$BUILD_COMMIT" > /VERSION && echo "$BUILD_BRANCH" >> /VERSION RUN echo "$BUILD_COMMIT" > /VERSION && echo "$BUILD_BRANCH" >> /VERSION

20
docker/entrypoint.py
View file

@ -25,29 +25,35 @@ def change_uid_grp(logger):
new_gid = int(os.getenv('GID', str(gid))) new_gid = int(os.getenv('GID', str(gid)))
new_uid = int(os.getenv('UID', str(uid))) new_uid = int(os.getenv('UID', str(uid)))
os.chown("/home/py-kms", new_uid, new_gid) os.chown("/home/py-kms", new_uid, new_gid)
os.chown("/usr/bin/start.py", new_uid, new_gid) os.chmod("/home/py-kms", 0o700)
os.chmod("/usr/bin/start.py", 0o555) # allow execution by non-root users
if os.path.isdir(dbPath): if os.path.isdir(dbPath):
# Corret permissions recursively, as to access the database file, also its parent folder must be accessible # Corret permissions recursively, as to access the database file, also its parent folder must be accessible
logger.debug(f'Correcting owner permissions on {dbPath}.') logger.debug(f'Correcting owner permissions on {dbPath}')
os.chown(dbPath, new_uid, new_gid) os.chown(dbPath, new_uid, new_gid)
os.chmod(dbPath, 0o700) # executable bit on dirs to allow interaction
for root, dirs, files in os.walk(dbPath): for root, dirs, files in os.walk(dbPath):
for dName in dirs: for dName in dirs:
dPath = os.path.join(root, dName) dPath = os.path.join(root, dName)
logger.debug(f'Correcting owner permissions on {dPath}.') logger.debug(f'Correcting owner permissions on {dPath}')
os.chown(dPath, new_uid, new_gid) os.chown(dPath, new_uid, new_gid)
os.chmod(dPath, 0o700) # executable bit on dirs to allow interaction
for fName in files: for fName in files:
fPath = os.path.join(root, fName) fPath = os.path.join(root, fName)
logger.debug(f'Correcting owner permissions on {fPath}.') logger.debug(f'Correcting owner permissions on {fPath}')
os.chown(fPath, new_uid, new_gid) os.chown(fPath, new_uid, new_gid)
os.chmod(fPath, 0o600)
logger.debug(subprocess.check_output(['ls', '-la', dbPath]).decode()) logger.debug(subprocess.check_output(['ls', '-la', dbPath]).decode())
else:
logger.error(f'Database path {dbPath} is not a directory, will not correct owner permissions.')
if 'LOGFILE' in os.environ and os.path.exists(os.environ['LOGFILE']): if 'LOGFILE' in os.environ and os.path.exists(os.environ['LOGFILE']):
# Oh, the user also wants a custom log file -> make sure start.py can access it by setting the correct permissions (777) # Oh, the user also wants a custom log file -> make sure start.py can access it by setting the correct permissions (777)
os.chmod(os.environ['LOGFILE'], 0o777) os.chmod(os.environ['LOGFILE'], 0o777)
logger.error(str(subprocess.check_output(['ls', '-la', os.environ['LOGFILE']]))) logger.error(str(subprocess.check_output(['ls', '-la', os.environ['LOGFILE']])))
logger.info("Setting gid to '%s'." % str(new_gid)) # Drop actual permissions
logger.info(f"Setting gid to {new_gid}")
os.setgid(new_gid) os.setgid(new_gid)
logger.info(f"Setting uid to {new_uid}")
logger.info("Setting uid to '%s'." % str(new_uid))
os.setuid(new_uid) os.setuid(new_uid)
def change_tz(logger): def change_tz(logger):