From 5a144a26f9c6d0708e84bf594156f1b4b7632628 Mon Sep 17 00:00:00 2001 From: Pierre-Olivier Mercier Date: Thu, 17 Jan 2019 08:13:11 +0100 Subject: [PATCH] fickit/rsync: increase overall security --- fickit-backend.yml | 12 ++++++------ fickit-frontend.yml | 7 +++---- fickit-pkg/rsync/Dockerfile | 1 - fickit-pkg/rsync/build.yml | 9 +++++++++ 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/fickit-backend.yml b/fickit-backend.yml index 0605bc9f..2ecb5d4f 100644 --- a/fickit-backend.yml +++ b/fickit-backend.yml @@ -193,7 +193,7 @@ services: - /var/lib/fic/teams - /var/lib/fic/settings - name: fic-synchro - image: nemunaire/rsync:416df0e1fe1562d5d1c63461dacd1267b47a4f05 + image: nemunaire/rsync:f8cc6e42fd8ae44d5b6e77fa71850e5cb36892a4 command: ["/bin/ash", "/root/synchro.sh"] binds: - /etc/hosts:/etc/hosts:ro @@ -206,9 +206,6 @@ services: - /var/lib/fic/submissions:/srv/submissions - /var/lib/fic/teams:/srv/TEAMS:ro net: /run/netns/synchro - pid: new - ipc: new - uts: new runtime: mkdir: - /var/lib/fic/files @@ -217,13 +214,16 @@ services: - /var/lib/fic/submissions - /var/lib/fic/teams - name: sshd - image: nemunaire/rsync:416df0e1fe1562d5d1c63461dacd1267b47a4f05 + image: nemunaire/rsync:ca312b09a5048c165cf727660b7755f001d17650 binds: - /etc/hosts:/etc/hosts:ro - - /root/.ssh/authorized_keys:/root/.ssh/authorized_keys:ro + - /root/.ssh/:/root/.ssh/:ro - /var/lib/fic/outofsync:/var/lib/fic/outofsync - /var/lib/fic/raw_files:/mnt/fic + capabilities: + - all net: /run/netns/fic-admin + pid: host runtime: mkdir: - /var/lib/fic/outofsync diff --git a/fickit-frontend.yml b/fickit-frontend.yml index 8dde59a4..8cac0b6f 100644 --- a/fickit-frontend.yml +++ b/fickit-frontend.yml @@ -164,7 +164,9 @@ services: - /var/lib/fic/submissions - /var/lib/fic/teams - name: sshd - image: nemunaire/rsync:416df0e1fe1562d5d1c63461dacd1267b47a4f05 + image: nemunaire/rsync:ca312b09a5048c165cf727660b7755f001d17650 + capabilities: + - all binds: - /etc/hosts:/etc/hosts:ro - /root/.ssh/id_synchro.pub:/root/.ssh/authorized_keys:ro @@ -174,9 +176,6 @@ services: - /var/lib/fic/submissions:/srv/submissions - /var/lib/fic/teams:/srv/TEAMS net: /run/netns/sshd - pid: new - ipc: new - uts: new runtime: mkdir: - /var/lib/fic/files diff --git a/fickit-pkg/rsync/Dockerfile b/fickit-pkg/rsync/Dockerfile index 362c7568..6f68310e 100644 --- a/fickit-pkg/rsync/Dockerfile +++ b/fickit-pkg/rsync/Dockerfile @@ -23,4 +23,3 @@ COPY etc/ /etc/ COPY usr/ /usr/ RUN mkdir -p /etc/ssh /root/.ssh && chmod 0700 /root/.ssh CMD ["/sbin/tini", "/usr/bin/ssh.sh"] -LABEL org.mobyproject.config='{"pid": "host", "binds": ["/root/.ssh:/root/.ssh", "/etc/resolv.conf:/etc/resolv.conf", "/run:/run", "/tmp:/tmp", "/etc:/hostroot/etc", "/usr/bin/ctr:/usr/bin/ctr", "/usr/bin/runc:/usr/bin/runc", "/containers:/containers","/var/log:/var/log","/dev:/dev","/sys:/sys"], "capabilities": ["all"]}' diff --git a/fickit-pkg/rsync/build.yml b/fickit-pkg/rsync/build.yml index d0475dbd..60dff986 100644 --- a/fickit-pkg/rsync/build.yml +++ b/fickit-pkg/rsync/build.yml @@ -1,2 +1,11 @@ image: rsync network: true +config: + binds: + - /root/.ssh:/root/.ssh + - /etc/resolv.conf:/etc/resolv.conf + capabilities: + - CAP_NET_BIND_SERVICE + pid: new + ipc: new + uts: new