From d02985d21303f3ba2ae280a2690e0cd000c19b17 Mon Sep 17 00:00:00 2001 From: bunkerity Date: Sat, 15 May 2021 21:08:35 +0200 Subject: [PATCH] check permissions for missing volumes and add comment about permissions on examples --- entrypoint/permissions-swarm.sh | 26 +++++++++++++++-- entrypoint/permissions.sh | 28 +++++++++++++++---- examples/autoconf-php/docker-compose.yml | 2 ++ .../autoconf-reverse-proxy/docker-compose.yml | 2 ++ .../basic-website-with-php/docker-compose.yml | 2 ++ examples/behind-traefik/docker-compose.yml | 2 ++ examples/certbot-wildcard/docker-compose.yml | 2 ++ examples/crowdsec/docker-compose.yml | 2 ++ examples/ghost/docker-compose.yml | 2 ++ examples/joomla/docker-compose.yml | 2 ++ examples/load-balancer/docker-compose.yml | 2 ++ examples/moodle/docker-compose.yml | 2 ++ examples/multisite-basic/docker-compose.yml | 2 ++ .../docker-compose.yml | 2 ++ .../docker-compose.yml | 2 ++ examples/nextcloud/docker-compose.yml | 2 ++ examples/passbolt/docker-compose.yml | 2 ++ examples/redmine/docker-compose.yml | 2 ++ .../docker-compose.yml | 2 ++ .../docker-compose.yml | 2 ++ .../docker-compose.yml | 2 ++ examples/swarm/stack.yml | 4 +++ examples/tomcat/docker-compose.yml | 2 ++ .../tor-hidden-service/docker-compose.yml | 2 ++ examples/web-ui/docker-compose.yml | 2 ++ examples/wordpress/docker-compose.yml | 2 ++ 26 files changed, 97 insertions(+), 7 deletions(-) diff --git a/entrypoint/permissions-swarm.sh b/entrypoint/permissions-swarm.sh index c524d17..a6ba278 100644 --- a/entrypoint/permissions-swarm.sh +++ b/entrypoint/permissions-swarm.sh @@ -12,14 +12,36 @@ if [ ! -r "/www" ] || [ ! -x "/www" ] ; then exit 2 fi +# /modsec-confs +if [ ! -r "/modsec-confs" ] || [ ! -x "/modsec-confs" ] ; then + echo "[!] ERROR - wrong permissions on /modsec-confs" + exit 3 +fi +# /modsec-crs-confs +if [ ! -r "/modsec-crs-confs" ] || [ ! -x "/modsec-crs-confs" ] ; then + echo "[!] ERROR - wrong permissions on /modsec-crs-confs" + exit 4 +fi +# /server-confs +if [ ! -r "/server-confs" ] || [ ! -x "/server-confs" ] ; then + echo "[!] ERROR - wrong permissions on /server-confs" + exit 5 +fi +# /http-confs +if [ ! -r "/http-confs" ] || [ ! -x "/http-confs" ] ; then + echo "[!] ERROR - wrong permissions on /http-confs" + exit 6 +fi + # /etc/nginx if [ ! -r "/etc/nginx" ] || [ ! -x "/etc/nginx" ] ; then echo "[!] ERROR - wrong permissions on /etc/nginx" - exit 3 + exit 7 fi # /acme-challenge if [ ! -r "/acme-challenge" ] || [ ! -x "/acme-challenge" ] ; then echo "[!] ERROR - wrong permissions on /acme-challenge" - exit 4 + exit 8 fi + diff --git a/entrypoint/permissions.sh b/entrypoint/permissions.sh index 35aba2f..54d2771 100644 --- a/entrypoint/permissions.sh +++ b/entrypoint/permissions.sh @@ -2,7 +2,7 @@ # /etc/letsencrypt if [ ! -w "/etc/letsencrypt" ] || [ ! -r "/etc/letsencrypt" ] || [ ! -x "/etc/letsencrypt" ] ; then - echo "[!] WARNING - wrong permissions on /etc/letsencrypt" + echo "[!] ERROR - wrong permissions on /etc/letsencrypt" exit 1 fi @@ -12,18 +12,36 @@ if [ -f "/usr/sbin/nginx" ] ; then echo "[!] ERROR - wrong permissions on /www" exit 2 fi - + # /modsec-confs + if [ ! -r "/modsec-confs" ] || [ ! -x "/modsec-confs" ] ; then + echo "[!] ERROR - wrong permissions on /modsec-confs" + exit 3 + fi + # /modsec-crs-confs + if [ ! -r "/modsec-crs-confs" ] || [ ! -x "/modsec-crs-confs" ] ; then + echo "[!] ERROR - wrong permissions on /modsec-crs-confs" + exit 4 + fi + # /server-confs + if [ ! -r "/server-confs" ] || [ ! -x "/server-confs" ] ; then + echo "[!] ERROR - wrong permissions on /server-confs" + exit 5 + fi + # /http-confs + if [ ! -r "/http-confs" ] || [ ! -x "/http-confs" ] ; then + echo "[!] ERROR - wrong permissions on /http-confs" + exit 6 + fi fi # /acme-challenge if [ ! -w "/acme-challenge" ] || [ ! -r "/acme-challenge" ] || [ ! -x "/acme-challenge" ] ; then echo "[!] ERROR - wrong permissions on /acme-challenge" - exit 3 + exit 7 fi # /etc/nginx if [ ! -w "/etc/nginx" ] || [ ! -r "/etc/nginx" ] || [ ! -x "/etc/nginx" ] ; then echo "[!] ERROR - wrong permissions on /etc/nginx" - exit 4 + exit 8 fi - diff --git a/examples/autoconf-php/docker-compose.yml b/examples/autoconf-php/docker-compose.yml index 637ae6e..f061ded 100644 --- a/examples/autoconf-php/docker-compose.yml +++ b/examples/autoconf-php/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt - ./web-files:/www:ro diff --git a/examples/autoconf-reverse-proxy/docker-compose.yml b/examples/autoconf-reverse-proxy/docker-compose.yml index 0b75e24..6e30c97 100644 --- a/examples/autoconf-reverse-proxy/docker-compose.yml +++ b/examples/autoconf-reverse-proxy/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt - autoconf:/etc/nginx diff --git a/examples/basic-website-with-php/docker-compose.yml b/examples/basic-website-with-php/docker-compose.yml index 2eefc91..9ddb052 100644 --- a/examples/basic-website-with-php/docker-compose.yml +++ b/examples/basic-website-with-php/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./web-files:/www:ro - ./letsencrypt:/etc/letsencrypt diff --git a/examples/behind-traefik/docker-compose.yml b/examples/behind-traefik/docker-compose.yml index f9ee463..7a1a8bc 100644 --- a/examples/behind-traefik/docker-compose.yml +++ b/examples/behind-traefik/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:80 - 443:443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - /var/run/docker.sock:/var/run/docker.sock - ./traefik/traefik.toml:/traefik.toml diff --git a/examples/certbot-wildcard/docker-compose.yml b/examples/certbot-wildcard/docker-compose.yml index 1176c81..a7e8075 100644 --- a/examples/certbot-wildcard/docker-compose.yml +++ b/examples/certbot-wildcard/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./web-files:/www:ro - ./letsencrypt:/letsencrypt:ro diff --git a/examples/crowdsec/docker-compose.yml b/examples/crowdsec/docker-compose.yml index 56fff61..b2080d5 100644 --- a/examples/crowdsec/docker-compose.yml +++ b/examples/crowdsec/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./web-files:/www:ro - ./letsencrypt:/etc/letsencrypt diff --git a/examples/ghost/docker-compose.yml b/examples/ghost/docker-compose.yml index 25c6812..4b7f2a7 100644 --- a/examples/ghost/docker-compose.yml +++ b/examples/ghost/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt environment: diff --git a/examples/joomla/docker-compose.yml b/examples/joomla/docker-compose.yml index c905c54..1e7786b 100644 --- a/examples/joomla/docker-compose.yml +++ b/examples/joomla/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./joomla-files:/www:ro - ./letsencrypt:/etc/letsencrypt diff --git a/examples/load-balancer/docker-compose.yml b/examples/load-balancer/docker-compose.yml index 8f575f7..4cfe8ea 100644 --- a/examples/load-balancer/docker-compose.yml +++ b/examples/load-balancer/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt - ./http-confs:/http-confs:ro diff --git a/examples/moodle/docker-compose.yml b/examples/moodle/docker-compose.yml index 5c10089..d8cca00 100644 --- a/examples/moodle/docker-compose.yml +++ b/examples/moodle/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt environment: diff --git a/examples/multisite-basic/docker-compose.yml b/examples/multisite-basic/docker-compose.yml index ce8a784..135c0dc 100644 --- a/examples/multisite-basic/docker-compose.yml +++ b/examples/multisite-basic/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./web-files:/www:ro - ./letsencrypt:/etc/letsencrypt diff --git a/examples/multisite-custom-server-confs/docker-compose.yml b/examples/multisite-custom-server-confs/docker-compose.yml index 4cbe851..6c1b080 100644 --- a/examples/multisite-custom-server-confs/docker-compose.yml +++ b/examples/multisite-custom-server-confs/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./web-files:/www:ro - ./letsencrypt:/etc/letsencrypt diff --git a/examples/multisite-custom-subfolders/docker-compose.yml b/examples/multisite-custom-subfolders/docker-compose.yml index 014b875..b741730 100644 --- a/examples/multisite-custom-subfolders/docker-compose.yml +++ b/examples/multisite-custom-subfolders/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./apps:/www:ro - ./letsencrypt:/etc/letsencrypt diff --git a/examples/nextcloud/docker-compose.yml b/examples/nextcloud/docker-compose.yml index a9679bd..aa2767e 100644 --- a/examples/nextcloud/docker-compose.yml +++ b/examples/nextcloud/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./nc-files:/www:ro - ./letsencrypt:/etc/letsencrypt diff --git a/examples/passbolt/docker-compose.yml b/examples/passbolt/docker-compose.yml index f996604..2813a0f 100644 --- a/examples/passbolt/docker-compose.yml +++ b/examples/passbolt/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt - ./modsec-crs-confs:/modsec-crs-confs:ro # disable some false positive diff --git a/examples/redmine/docker-compose.yml b/examples/redmine/docker-compose.yml index 6cf94ff..39ed533 100644 --- a/examples/redmine/docker-compose.yml +++ b/examples/redmine/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt environment: diff --git a/examples/reverse-proxy-multisite/docker-compose.yml b/examples/reverse-proxy-multisite/docker-compose.yml index cba11ad..bc273c7 100644 --- a/examples/reverse-proxy-multisite/docker-compose.yml +++ b/examples/reverse-proxy-multisite/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt environment: diff --git a/examples/reverse-proxy-singlesite/docker-compose.yml b/examples/reverse-proxy-singlesite/docker-compose.yml index ffbf829..41daf2d 100644 --- a/examples/reverse-proxy-singlesite/docker-compose.yml +++ b/examples/reverse-proxy-singlesite/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt - ./server-confs:/server-confs:ro # redirect /app1 and /app2 to /app1/ and /app2/ diff --git a/examples/reverse-proxy-websocket/docker-compose.yml b/examples/reverse-proxy-websocket/docker-compose.yml index fb8abbf..349d9f9 100644 --- a/examples/reverse-proxy-websocket/docker-compose.yml +++ b/examples/reverse-proxy-websocket/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt environment: diff --git a/examples/swarm/stack.yml b/examples/swarm/stack.yml index 6199dc8..f803f62 100644 --- a/examples/swarm/stack.yml +++ b/examples/swarm/stack.yml @@ -4,6 +4,8 @@ services: autoconf: image: bunkerity/bunkerized-nginx-autoconf + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - /shared/confs:/etc/nginx @@ -31,6 +33,8 @@ services: target: 8443 mode: host protocol: tcp + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - /shared/confs:/etc/nginx - /shared/letsencrypt:/etc/letsencrypt:ro diff --git a/examples/tomcat/docker-compose.yml b/examples/tomcat/docker-compose.yml index 8584f27..690e6ad 100644 --- a/examples/tomcat/docker-compose.yml +++ b/examples/tomcat/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt environment: diff --git a/examples/tor-hidden-service/docker-compose.yml b/examples/tor-hidden-service/docker-compose.yml index 261e64e..1c56fbf 100644 --- a/examples/tor-hidden-service/docker-compose.yml +++ b/examples/tor-hidden-service/docker-compose.yml @@ -14,6 +14,8 @@ services: mywww: image: bunkerity/bunkerized-nginx restart: always + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./web-files:/www:ro environment: diff --git a/examples/web-ui/docker-compose.yml b/examples/web-ui/docker-compose.yml index 8f90363..8eda5a7 100644 --- a/examples/web-ui/docker-compose.yml +++ b/examples/web-ui/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./letsencrypt:/etc/letsencrypt - ./web-files:/www:ro diff --git a/examples/wordpress/docker-compose.yml b/examples/wordpress/docker-compose.yml index b8b463e..81985d1 100644 --- a/examples/wordpress/docker-compose.yml +++ b/examples/wordpress/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - 80:8080 - 443:8443 + # bunkerized-nginx runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly volumes: - ./wp-files:/www:ro - ./letsencrypt:/etc/letsencrypt