From 688b292c243e6f58d3079e7cdd45100b08631ce3 Mon Sep 17 00:00:00 2001 From: Beau Frusetta Date: Fri, 8 Jan 2021 14:38:22 -0700 Subject: [PATCH] feat(security): secure containers run as non-root Modified the entrypoint script of security-secretstore-setup to set the appropriate ownership of the /tmp/edgex/secrets directory that's mounted to retrieve secrets in various services used throughout. Removed a security concern from the entrypoint script of security-secretstore-setup that allowed root level CLI execution access to anyone that could add parameters via CMD in the dockerfile. Signed-off-by: Beau Frusetta --- cmd/core-command/Dockerfile | 1 + cmd/core-metadata/Dockerfile | 1 + cmd/security-secretstore-setup/Dockerfile | 6 ++++-- cmd/security-secretstore-setup/entrypoint.sh | 22 +++++++------------- cmd/support-notifications/Dockerfile | 1 + cmd/support-scheduler/Dockerfile | 1 + 6 files changed, 16 insertions(+), 16 deletions(-) diff --git a/cmd/core-command/Dockerfile b/cmd/core-command/Dockerfile index 071028a4d6..2fcec38247 100644 --- a/cmd/core-command/Dockerfile +++ b/cmd/core-command/Dockerfile @@ -49,5 +49,6 @@ WORKDIR / COPY --from=builder /edgex-go/cmd/core-command/Attribution.txt / COPY --from=builder /edgex-go/cmd/core-command/core-command / COPY --from=builder /edgex-go/cmd/core-command/res/configuration.toml /res/configuration.toml + ENTRYPOINT ["/core-command"] CMD ["-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] diff --git a/cmd/core-metadata/Dockerfile b/cmd/core-metadata/Dockerfile index 20538832fa..a613520031 100644 --- a/cmd/core-metadata/Dockerfile +++ b/cmd/core-metadata/Dockerfile @@ -49,5 +49,6 @@ WORKDIR / COPY --from=builder /edgex-go/cmd/core-metadata/Attribution.txt / COPY --from=builder /edgex-go/cmd/core-metadata/core-metadata / COPY --from=builder /edgex-go/cmd/core-metadata/res/configuration.toml /res/configuration.toml + ENTRYPOINT ["/core-metadata"] CMD ["-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] diff --git a/cmd/security-secretstore-setup/Dockerfile b/cmd/security-secretstore-setup/Dockerfile index 9a30fed40b..806ed825b5 100644 --- a/cmd/security-secretstore-setup/Dockerfile +++ b/cmd/security-secretstore-setup/Dockerfile @@ -50,9 +50,11 @@ COPY --from=builder /edgex-go/cmd/security-secretstore-setup/res/configuration.t COPY --from=builder /edgex-go/cmd/security-file-token-provider/security-file-token-provider . COPY --from=builder /edgex-go/cmd/security-secretstore-setup/security-secretstore-setup . -# setup the entry point script +# Setup the entry point script, create token dir, and assign perms COPY --from=builder /edgex-go/cmd/security-secretstore-setup/entrypoint.sh /usr/local/bin/ RUN chmod +x /usr/local/bin/entrypoint.sh \ - && ln -s /usr/local/bin/entrypoint.sh / + && ln -s /usr/local/bin/entrypoint.sh / \ + && mkdir -p /vault/config/assets \ + && chown -Rh 100:1000 /vault/ ENTRYPOINT ["entrypoint.sh"] diff --git a/cmd/security-secretstore-setup/entrypoint.sh b/cmd/security-secretstore-setup/entrypoint.sh index 1c7e5673c9..fb704c1722 100644 --- a/cmd/security-secretstore-setup/entrypoint.sh +++ b/cmd/security-secretstore-setup/entrypoint.sh @@ -24,27 +24,21 @@ if [ -n "${SECRETSTORE_SETUP_DONE_FLAG}" ] && [ -f "${SECRETSTORE_SETUP_DONE_FLA rm -f "${SECRETSTORE_SETUP_DONE_FLAG}" fi -echo "creating /vault/config/assets" +echo "Starting vault-worker..." -# create token directory and -# grant permissions of folders for vault:vault -mkdir -p /vault/config/assets -chown -Rh 100:1000 /vault/ - -echo "starting vault-worker..." - -echo "Initializing secret store" +echo "Initializing secret store..." /security-secretstore-setup --vaultInterval=10 -echo "Executing custom command: $@" -"$@" - # write a sentinel file when we're done because consul is not # secure and we don't trust it it access to the EdgeX secret store if [ -n "${SECRETSTORE_SETUP_DONE_FLAG}" ]; then + + echo "Changing ownership of secrets to edgex_user:edgex_group" + chown -R ${EDGEX_USER}:${EDGEX_GROUP} /tmp/edgex/secrets + echo "Signaling secretstore-setup completion" - mkdir -p $(dirname "${SECRETSTORE_SETUP_DONE_FLAG}") - touch "${SECRETSTORE_SETUP_DONE_FLAG}" + mkdir -p $(dirname "${SECRETSTORE_SETUP_DONE_FLAG}") && \ + touch "${SECRETSTORE_SETUP_DONE_FLAG}" fi echo "Waiting for termination signal" diff --git a/cmd/support-notifications/Dockerfile b/cmd/support-notifications/Dockerfile index d38097feef..60d8c18b15 100644 --- a/cmd/support-notifications/Dockerfile +++ b/cmd/support-notifications/Dockerfile @@ -49,5 +49,6 @@ COPY --from=builder /etc/ssl /etc/ssl COPY --from=builder /edgex-go/cmd/support-notifications/Attribution.txt / COPY --from=builder /edgex-go/cmd/support-notifications/support-notifications / COPY --from=builder /edgex-go/cmd/support-notifications/res/configuration.toml /res/configuration.toml + ENTRYPOINT ["/support-notifications"] CMD ["-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] diff --git a/cmd/support-scheduler/Dockerfile b/cmd/support-scheduler/Dockerfile index 01cdf29289..59fd326ee2 100644 --- a/cmd/support-scheduler/Dockerfile +++ b/cmd/support-scheduler/Dockerfile @@ -47,5 +47,6 @@ EXPOSE $APP_PORT COPY --from=builder /edgex-go/cmd/support-scheduler/Attribution.txt / COPY --from=builder /edgex-go/cmd/support-scheduler/support-scheduler / COPY --from=builder /edgex-go/cmd/support-scheduler/res/configuration.toml /res/configuration.toml + ENTRYPOINT ["/support-scheduler"] CMD ["-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] \ No newline at end of file