public inbox for [email protected]help / color / mirror / Atom feed
RM4939 - Running in the container as non-root user 5+ messages / 3 participants [nested] [flat]
* RM4939 - Running in the container as non-root user @ 2019-12-04 02:51 Dave Page <[email protected]> 0 siblings, 1 reply; 5+ messages in thread From: Dave Page @ 2019-12-04 02:51 UTC (permalink / raw) To: pgadmin-hackers <[email protected]>; +Cc: Syed Fahar Abbas <[email protected]>; Akshay Joshi <[email protected]> The attached patch fixes $SUBJECT. I'm a little concerned about upgrades though, mostly when using mapped storage or session data. Fahar, can you test such scenarios please? Patch review is also needed please :-) -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company Attachments: [application/octet-stream] RM_4939.diff (2.9K, 3-RM_4939.diff) download | inline diff: diff --git a/Dockerfile b/Dockerfile index 2f7da8ca8..6be2f6f47 100644 --- a/Dockerfile +++ b/Dockerfile @@ -160,7 +160,9 @@ RUN apk add --no-cache --virtual \ apk add \ postfix \ postgresql-client \ - postgresql-libs && \ + postgresql-libs \ + shadow \ + libcap && \ pip install --upgrade pip && \ pip install --no-cache-dir -r requirements.txt && \ pip install --no-cache-dir gunicorn==19.9.0 && \ @@ -177,6 +179,17 @@ COPY pkg/docker/entrypoint.sh /entrypoint.sh # Precompile and optimize python code to save time and space on startup RUN python -O -m compileall -x node_modules /pgadmin4 +RUN groupadd -g 5050 pgadmin && \ + useradd -r -u 5050 -g pgadmin pgadmin && \ + mkdir -p /var/lib/pgadmin && \ + chown pgadmin:pgadmin /var/lib/pgadmin && \ + mkdir -p /var/log/pgadmin && \ + chown pgadmin:pgadmin /var/log/pgadmin && \ + touch /pgadmin4/config_distro.py && \ + chown pgadmin:pgadmin /pgadmin4/config_distro.py && \ + setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/python3.7 +USER pgadmin + # Finish up VOLUME /var/lib/pgadmin EXPOSE 80 443 diff --git a/docs/en_US/release_notes_4_16.rst b/docs/en_US/release_notes_4_16.rst index 8e8612075..9086c5391 100644 --- a/docs/en_US/release_notes_4_16.rst +++ b/docs/en_US/release_notes_4_16.rst @@ -13,6 +13,7 @@ New features | `Issue #4435 <https://redmine.postgresql.org/issues/4435>`_ - Allow drag and drop functionality for all the nodes under the database node, excluding collection nodes. | `Issue #4711 <https://redmine.postgresql.org/issues/4711>`_ - Use a 'play' icon for the Execute Query button in the Query Tool for greater consistency with other applications. | `Issue #4773 <https://redmine.postgresql.org/issues/4773>`_ - Added role="status" attribute to all the status messages for accessibility. +| `Issue #4939 <https://redmine.postgresql.org/issues/4939>`_ - Run pgAdmin in the container as a non-root user (pgadmin, UID: 5050) | `Issue #4944 <https://redmine.postgresql.org/issues/4944>`_ - Allow Gunicorn logs in the container to be directed to a file specified through GUNICORN_ACCESS_LOGFILE. Housekeeping diff --git a/pkg/docker/entrypoint.sh b/pkg/docker/entrypoint.sh index 070aa5579..47d14bf2d 100755 --- a/pkg/docker/entrypoint.sh +++ b/pkg/docker/entrypoint.sh @@ -1,9 +1,10 @@ #!/bin/sh -# Create config_distro.py. This has some default config, as well as anything +# Populate config_distro.py. This has some default config, as well as anything # provided by the user through the PGADMIN_CONFIG_* environment variables. -# Only write the file on first launch. -if [ ! -f /pgadmin4/config_distro.py ]; then +# Only update the file on first launch. The empty file is created during the +# container build so it can have the required ownership. +if [ `wc -m /pgadmin4/config_distro.py | awk '{ print $1 }'` = "0" ]; then cat << EOF > /pgadmin4/config_distro.py HELP_PATH = '../../docs' DEFAULT_BINARY_PATHS = { ^ permalink raw reply [nested|flat] 5+ messages in thread
* Re: RM4939 - Running in the container as non-root user @ 2019-12-04 09:16 Akshay Joshi <[email protected]> parent: Dave Page <[email protected]> 0 siblings, 2 replies; 5+ messages in thread From: Akshay Joshi @ 2019-12-04 09:16 UTC (permalink / raw) To: Dave Page <[email protected]>; +Cc: pgadmin-hackers <[email protected]>; Syed Fahar Abbas <[email protected]> Hi Dave I have reviewed the code and tested the basic scenario. The code looks good to me. I have verified that the user is pgadmin with user id 5050. With your patch Without applying your patch [image: NonRootUser.png] [image: RootUser.png] @Fahar please test upgrades mostly when using mapped storage or session data. On Wed, Dec 4, 2019 at 8:21 AM Dave Page <[email protected]> wrote: > The attached patch fixes $SUBJECT. I'm a little concerned about upgrades > though, mostly when using mapped storage or session data. Fahar, can you > test such scenarios please? > > Patch review is also needed please :-) > > -- > Dave Page > Blog: http://pgsnake.blogspot.com > Twitter: @pgsnake > > EnterpriseDB UK: http://www.enterprisedb.com > The Enterprise PostgreSQL Company > -- *Thanks & Regards* *Akshay Joshi* *Sr. Software Architect* *EnterpriseDB Software India Private Limited* *Mobile: +91 976-788-8246* Attachments: [image/png] NonRootUser.png (62.0K, 3-NonRootUser.png) download | view image [image/png] RootUser.png (104.9K, 4-RootUser.png) download | view image ^ permalink raw reply [nested|flat] 5+ messages in thread
* Re: RM4939 - Running in the container as non-root user @ 2019-12-04 10:53 Dave Page <[email protected]> parent: Akshay Joshi <[email protected]> 1 sibling, 0 replies; 5+ messages in thread From: Dave Page @ 2019-12-04 10:53 UTC (permalink / raw) To: Akshay Joshi <[email protected]>; +Cc: pgadmin-hackers <[email protected]>; Syed Fahar Abbas <[email protected]> Thanks! On Wed, Dec 4, 2019 at 4:16 AM Akshay Joshi <[email protected]> wrote: > Hi Dave > > I have reviewed the code and tested the basic scenario. The code looks > good to me. I have verified that the user is pgadmin with user id 5050. > > With your patch Without applying > your patch > [image: NonRootUser.png] [image: RootUser.png] > > @Fahar please test upgrades mostly when using mapped storage or session > data. > > On Wed, Dec 4, 2019 at 8:21 AM Dave Page <[email protected]> wrote: > >> The attached patch fixes $SUBJECT. I'm a little concerned about upgrades >> though, mostly when using mapped storage or session data. Fahar, can you >> test such scenarios please? >> >> Patch review is also needed please :-) >> >> -- >> Dave Page >> Blog: http://pgsnake.blogspot.com >> Twitter: @pgsnake >> >> EnterpriseDB UK: http://www.enterprisedb.com >> The Enterprise PostgreSQL Company >> > > > -- > *Thanks & Regards* > *Akshay Joshi* > > *Sr. Software Architect* > *EnterpriseDB Software India Private Limited* > *Mobile: +91 976-788-8246* > -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company Attachments: [image/png] NonRootUser.png (62.0K, 3-NonRootUser.png) download | view image [image/png] RootUser.png (104.9K, 4-RootUser.png) download | view image ^ permalink raw reply [nested|flat] 5+ messages in thread
* Re: RM4939 - Running in the container as non-root user @ 2019-12-09 05:09 Fahar Abbas <[email protected]> parent: Akshay Joshi <[email protected]> 1 sibling, 1 reply; 5+ messages in thread From: Fahar Abbas @ 2019-12-09 05:09 UTC (permalink / raw) To: Akshay Joshi <[email protected]>; +Cc: Dave Page <[email protected]>; pgadmin-hackers <[email protected]> Hi, Verification has been completed, now you can commit this patch. On Wed, Dec 4, 2019 at 2:16 PM Akshay Joshi <[email protected]> wrote: > Hi Dave > > I have reviewed the code and tested the basic scenario. The code looks > good to me. I have verified that the user is pgadmin with user id 5050. > > With your patch Without applying > your patch > [image: NonRootUser.png] [image: RootUser.png] > > @Fahar please test upgrades mostly when using mapped storage or session > data. > > On Wed, Dec 4, 2019 at 8:21 AM Dave Page <[email protected]> wrote: > >> The attached patch fixes $SUBJECT. I'm a little concerned about upgrades >> though, mostly when using mapped storage or session data. Fahar, can you >> test such scenarios please? >> >> Patch review is also needed please :-) >> >> -- >> Dave Page >> Blog: http://pgsnake.blogspot.com >> Twitter: @pgsnake >> >> EnterpriseDB UK: http://www.enterprisedb.com >> The Enterprise PostgreSQL Company >> > > > -- > *Thanks & Regards* > *Akshay Joshi* > > *Sr. Software Architect* > *EnterpriseDB Software India Private Limited* > *Mobile: +91 976-788-8246* > -- Fahar Abbas QMG EnterpriseDB Corporation Phone Office: +92-51-835-8874 Phone Direct: +92-51-8466803 Mobile: +92-333-5409707 Skype ID: *live:fahar.abbas* Website: www.enterprisedb.com Attachments: [image/png] NonRootUser.png (62.0K, 3-NonRootUser.png) download | view image [image/png] RootUser.png (104.9K, 4-RootUser.png) download | view image ^ permalink raw reply [nested|flat] 5+ messages in thread
* Re: RM4939 - Running in the container as non-root user @ 2019-12-09 05:40 Akshay Joshi <[email protected]> parent: Fahar Abbas <[email protected]> 0 siblings, 0 replies; 5+ messages in thread From: Akshay Joshi @ 2019-12-09 05:40 UTC (permalink / raw) To: Dave Page <[email protected]>; +Cc: pgadmin-hackers <[email protected]>; Fahar Abbas <[email protected]> Thanks, patch applied. On Mon, Dec 9, 2019 at 10:40 AM Fahar Abbas <[email protected]> wrote: > Hi, > > Verification has been completed, now you can commit this patch. > > On Wed, Dec 4, 2019 at 2:16 PM Akshay Joshi <[email protected]> > wrote: > >> Hi Dave >> >> I have reviewed the code and tested the basic scenario. The code looks >> good to me. I have verified that the user is pgadmin with user id 5050. >> >> With your patch Without applying >> your patch >> [image: NonRootUser.png] [image: RootUser.png] >> >> @Fahar please test upgrades mostly when using mapped storage or session >> data. >> >> On Wed, Dec 4, 2019 at 8:21 AM Dave Page <[email protected]> wrote: >> >>> The attached patch fixes $SUBJECT. I'm a little concerned about upgrades >>> though, mostly when using mapped storage or session data. Fahar, can you >>> test such scenarios please? >>> >>> Patch review is also needed please :-) >>> >>> -- >>> Dave Page >>> Blog: http://pgsnake.blogspot.com >>> Twitter: @pgsnake >>> >>> EnterpriseDB UK: http://www.enterprisedb.com >>> The Enterprise PostgreSQL Company >>> >> >> >> -- >> *Thanks & Regards* >> *Akshay Joshi* >> >> *Sr. Software Architect* >> *EnterpriseDB Software India Private Limited* >> *Mobile: +91 976-788-8246* >> > > > -- > Fahar Abbas > QMG > EnterpriseDB Corporation > Phone Office: +92-51-835-8874 > Phone Direct: +92-51-8466803 > Mobile: +92-333-5409707 > Skype ID: *live:fahar.abbas* > Website: www.enterprisedb.com > -- *Thanks & Regards* *Akshay Joshi* *Sr. Software Architect* *EnterpriseDB Software India Private Limited* *Mobile: +91 976-788-8246* Attachments: [image/png] NonRootUser.png (62.0K, 3-NonRootUser.png) download | view image [image/png] RootUser.png (104.9K, 4-RootUser.png) download | view image ^ permalink raw reply [nested|flat] 5+ messages in thread
end of thread, other threads:[~2019-12-09 05:40 UTC | newest] Thread overview: 5+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2019-12-04 02:51 RM4939 - Running in the container as non-root user Dave Page <[email protected]> 2019-12-04 09:16 ` Akshay Joshi <[email protected]> 2019-12-04 10:53 ` Dave Page <[email protected]> 2019-12-09 05:09 ` Fahar Abbas <[email protected]> 2019-12-09 05:40 ` Akshay Joshi <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox