Merge d006e2e587 into 646f4766f4

Signed-off-by: simonmicro <simon@simonmicro.de>

.github/workflows/bake_to_latest.yml

@@ -14,13 +14,13 @@ jobs:
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v5
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v3
         with:
           platforms: all
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1.6.0
+        uses: docker/setup-buildx-action@v3
       - name: Login to DockerHub
         uses: docker/login-action@v1.10.0
         with:
@@ -32,8 +32,8 @@ jobs:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build
-        uses: docker/build-push-action@v2
+      - name: Build (full)
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./docker/docker-py3-kms/Dockerfile
@@ -43,8 +43,8 @@ jobs:
           build-args: |
             BUILD_COMMIT=${{ github.sha }}
             BUILD_BRANCH=${{ github.ref_name }}
-      - name: Build
-        uses: docker/build-push-action@v2
+      - name: Build (minimal)
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./docker/docker-py3-kms-minimal/Dockerfile

.github/workflows/bake_to_next.yml

@@ -14,13 +14,13 @@ jobs:
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v5
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v3
         with:
           platforms: all
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1.6.0
+        uses: docker/setup-buildx-action@v3
       - name: Login to DockerHub
         uses: docker/login-action@v1.10.0
         with:
@@ -32,8 +32,8 @@ jobs:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build
-        uses: docker/build-push-action@v2
+      - name: Build (full)
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./docker/docker-py3-kms/Dockerfile
@@ -43,8 +43,8 @@ jobs:
           build-args: |
             BUILD_COMMIT=${{ github.sha }}
             BUILD_BRANCH=${{ github.ref_name }}
-      - name: Build
-        uses: docker/build-push-action@v2
+      - name: Build (minimal)
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./docker/docker-py3-kms-minimal/Dockerfile

.github/workflows/bake_to_test.yml

@@ -9,15 +9,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v5
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v3
         with:
           platforms: all
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1.6.0
-      - name: Build
-        uses: docker/build-push-action@v2
+        uses: docker/setup-buildx-action@v3
+      - name: Build (full)
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./docker/docker-py3-kms/Dockerfile
@@ -26,8 +26,8 @@ jobs:
           build-args: |
             BUILD_COMMIT=${{ github.sha }}
             BUILD_BRANCH=${{ github.ref_name }}
-      - name: Build
-        uses: docker/build-push-action@v2
+      - name: Build (minimal)
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./docker/docker-py3-kms-minimal/Dockerfile
@@ -35,4 +35,4 @@ jobs:
           push: false
           build-args: |
             BUILD_COMMIT=${{ github.sha }}
-            BUILD_BRANCH=${{ github.ref_name }}
+            BUILD_BRANCH=${{ github.ref_name }}

.readthedocs.yaml

@@ -1,12 +1,15 @@
 version: 2
 
 build:
-  os: "ubuntu-22.04"
+  os: "ubuntu-24.04"
   tools:
-    python: "3.10"
+    python: "3.12"
 
 python:
   install:
     - requirements: docs/requirements.txt
 
+sphinx:
+  configuration: docs/conf.py
+
 formats: all

docker/docker-py3-kms-minimal/Dockerfile

@@ -1,19 +1,19 @@
 # This is a minimized version from docker/docker-py3-kms/Dockerfile without SQLite support to further reduce image size
-FROM alpine:3.15
+FROM alpine:3.22
 
-ENV IP ::
-ENV DUALSTACK 1
-ENV PORT 1688
-ENV EPID ""
-ENV LCID 1033
-ENV CLIENT_COUNT 26
-ENV ACTIVATION_INTERVAL 120
-ENV RENEWAL_INTERVAL 10080
+ENV IP=::
+ENV DUALSTACK=1
+ENV PORT=1688
+ENV EPID=""
+ENV LCID=1033
+ENV CLIENT_COUNT=26
+ENV ACTIVATION_INTERVAL=120
+ENV RENEWAL_INTERVAL=10080
 ENV HWID RANDOM
-ENV LOGLEVEL INFO
-ENV LOGFILE STDOUT
-ENV LOGSIZE ""
-ENV WEBUI 0
+ENV LOGLEVEL=INFO
+ENV LOGFILE=STDOUT
+ENV LOGSIZE=""
+ENV WEBUI=0
 
 COPY docker/docker-py3-kms-minimal/requirements.txt /home/py-kms/requirements.txt
 RUN apk add --no-cache --update \
@@ -23,7 +23,7 @@ bash \
   ca-certificates \
   shadow \
   tzdata \
-  && pip3 install --no-cache-dir -r /home/py-kms/requirements.txt \
+  && pip3 install --break-system-packages --no-cache-dir -r /home/py-kms/requirements.txt \
   && adduser -S py-kms -G users -s /bin/bash \
   && chown py-kms:users /home/py-kms \
   # Fix undefined timezone, in case the user did not mount the /etc/localtime
@@ -35,6 +35,13 @@ COPY docker/healthcheck.py /usr/bin/healthcheck.py
 COPY docker/start.py /usr/bin/start.py
 RUN chmod 555 /usr/bin/entrypoint.py /usr/bin/healthcheck.py /usr/bin/start.py
 
+# Additional permission hardening: All files read-only for the executing user
+RUN chown root: -R /home/py-kms && \
+    chmod 444 -R /home/py-kms && \
+    chown py-kms: /home/py-kms && \
+    chmod 700 /home/py-kms && \
+    find /home/py-kms -type d -print -exec chmod +x {} ';'
+
 WORKDIR /home/py-kms
 
 EXPOSE ${PORT}/tcp

docker/docker-py3-kms/Dockerfile

@@ -1,23 +1,23 @@
 # Switch to the target image
-FROM alpine:3.15
+FROM alpine:3.22
 
 ARG BUILD_COMMIT=unknown
 ARG BUILD_BRANCH=unknown
 
-ENV IP ::
-ENV DUALSTACK 1
-ENV PORT 1688
-ENV EPID ""
-ENV LCID 1033
-ENV CLIENT_COUNT 26
-ENV ACTIVATION_INTERVAL 120
-ENV RENEWAL_INTERVAL 10080
-ENV HWID RANDOM
-ENV LOGLEVEL INFO
-ENV LOGFILE STDOUT
-ENV LOGSIZE ""
-ENV TZ America/Chicago
-ENV WEBUI 1
+ENV IP=::
+ENV DUALSTACK=1
+ENV PORT=1688
+ENV EPID=""
+ENV LCID=1033
+ENV CLIENT_COUNT=26
+ENV ACTIVATION_INTERVAL=120
+ENV RENEWAL_INTERVAL=10080
+ENV HWID=RANDOM
+ENV LOGLEVEL=INFO
+ENV LOGFILE=STDOUT
+ENV LOGSIZE=""
+ENV TZ=America/Chicago
+ENV WEBUI=1
 
 COPY docker/docker-py3-kms/requirements.txt /home/py-kms/
 RUN apk add --no-cache --update \
@@ -28,7 +28,7 @@ RUN apk add --no-cache --update \
   ca-certificates \
   tzdata \
   shadow \
-  && pip3 install --no-cache-dir -r /home/py-kms/requirements.txt \
+  && pip3 install --break-system-packages --no-cache-dir -r /home/py-kms/requirements.txt \
   && mkdir /db/ \
   && adduser -S py-kms -G users -s /bin/bash \
   && chown py-kms:users /home/py-kms \
@@ -41,6 +41,13 @@ COPY docker/healthcheck.py /usr/bin/healthcheck.py
 COPY docker/start.py /usr/bin/start.py
 RUN chmod 555 /usr/bin/entrypoint.py /usr/bin/healthcheck.py /usr/bin/start.py
 
+# Additional permission hardening: All files read-only for the executing user
+RUN chown root: -R /home/py-kms && \
+    chmod 444 -R /home/py-kms && \
+    chown py-kms: /home/py-kms && \
+    chmod 700 /home/py-kms && \
+    find /home/py-kms -type d -print -exec chmod +x {} ';'
+
 # Web-interface specifics
 COPY LICENSE /LICENSE
 RUN echo "$BUILD_COMMIT" > /VERSION && echo "$BUILD_BRANCH" >> /VERSION

docker/docker-py3-kms/requirements.txt

@@ -1,5 +1,5 @@
-dnspython==2.6.1
-tzlocal==4.2
+dnspython==2.8.0
+tzlocal==5.3.1
 
-Flask==2.3.2
-gunicorn==22.0.0
+Flask==3.1.2
+gunicorn==23.0.0

docker/entrypoint.py

@@ -25,29 +25,34 @@ def change_uid_grp(logger):
   new_gid = int(os.getenv('GID', str(gid)))
   new_uid = int(os.getenv('UID', str(uid)))
   os.chown("/home/py-kms", new_uid, new_gid)
-  os.chown("/usr/bin/start.py", new_uid, new_gid)
+  os.chmod("/home/py-kms", 0o700)
   if os.path.isdir(dbPath):
-    # Corret permissions recursively, as to access the database file, also its parent folder must be accessible
-    logger.debug(f'Correcting owner permissions on {dbPath}.')
+    # Correct permissions recursively, as to access the database file, also its parent folder must be accessible
+    logger.debug(f'Correcting owner permissions on {dbPath}')
     os.chown(dbPath, new_uid, new_gid)
+    os.chmod(dbPath, 0o700) # executable bit on dirs to allow interaction
     for root, dirs, files in os.walk(dbPath):
       for dName in dirs:
         dPath = os.path.join(root, dName)
-        logger.debug(f'Correcting owner permissions on {dPath}.')
+        logger.debug(f'Correcting owner permissions on {dPath}')
         os.chown(dPath, new_uid, new_gid)
+        os.chmod(dPath, 0o700) # executable bit on dirs to allow interaction
       for fName in files:
         fPath = os.path.join(root, fName)
-        logger.debug(f'Correcting owner permissions on {fPath}.')
+        logger.debug(f'Correcting owner permissions on {fPath}')
         os.chown(fPath, new_uid, new_gid)
+        os.chmod(fPath, 0o600)
     logger.debug(subprocess.check_output(['ls', '-la', dbPath]).decode())
+  else:
+    logger.warning(f'Database path {dbPath} is not a directory, will not correct owner permissions.')
   if 'LOGFILE' in os.environ and os.path.exists(os.environ['LOGFILE']):
     # Oh, the user also wants a custom log file -> make sure start.py can access it by setting the correct permissions (777)
     os.chmod(os.environ['LOGFILE'], 0o777)
     logger.error(str(subprocess.check_output(['ls', '-la', os.environ['LOGFILE']])))
-  logger.info("Setting gid to '%s'." % str(new_gid))
+  # Drop actual permissions
+  logger.info(f"Setting gid to {new_gid}")
   os.setgid(new_gid)
-
-  logger.info("Setting uid to '%s'." % str(new_uid))
+  logger.info(f"Setting uid to {new_uid}")
   os.setuid(new_uid)
 
 def change_tz(logger):