Fossil

Differences From Artifact [9db6e72a16]:

• File Dockerfile — part of check-in [ba21bc0b8f] at 2022-08-14 19:42:21 on branch trunk — Fossil's chroot feature drops root permissions based on file ownership, but since the container was built with everything-root, its HTTP hit handling children would run as whatever host-side UID/GID pair you used for file ownership. What happened next was complex. If you let the container create the repo internally, it would be owned as root, so it would drop root permissions for…root! This isn't super-bad, since Fossil is presumed secure and is double-jailed besides. The risk is, if anyone works out an RCE for Fossil, they might be able to get it to create raw sockets or do various other types of escapes despite the double-jail dance. Attaching a Docker volume brings external permisssions into the container. We were recommending a "chown 0" command on the shared volume to make it similar to the in-container case, but that opens you to the same risks above. If you ignored this and used host-side UID/GID pairs, Fossil would then be left running under IDs that didn't exist internally, which could cause assorted weirdness. We're now creating an explicit "fossil" user/group pair inside the container and recommending that Docker volumes use these IDs for copied-in files to batten down something that shouldn't've been left flapping. Updated build.wiki to cover all this. (user: wyoung size: 2544)

To Artifact [f54c7bc341]:

• File Dockerfile — part of check-in [00cc9c3eb1] at 2022-08-14 19:53:10 on branch trunk — The chown -R bit added to the Dockerfile touches /jail/bin/fossil, which causes "docker build" to promote it back into a new layer, nearly doubling the container size. Doing a chown now only on two directories, restoring it to its sub-9M size. (user: wyoung size: 2548)

32
33
34
35
36
37
38
39

40
41
42
43
44
45
46

32
33
34
35
36
37
38

39
40
41
42
43
44
45
46

-
+

RUN mkdir -m 700 dev museum                                            \
    && mknod -m 600 dev/null    c 1 3                                  \
    && mknod -m 600 dev/urandom c 1 9                                  \
    && echo 'root:x:0:0:Fossil Init:/:/bin/nologin' > /etc/passwd      \
    && echo 'root:x:0:root'                         > /etc/group       \
    && addgroup -g ${UID} fossil                                       \
    && adduser -h `pwd` -g 'Fossil User' -G fossil -u ${UID} -S fossil \
    && chown -R fossil:fossil .
    && chown fossil:fossil . museum

# Now we can run the stripped-down environment in a chroot jail, while
# leaving open the option to debug it live via the Busybox shell.
#
# Implicit: We don't set USER here on purpose because we want Fossil to
# start as root so it can chroot itself away inside /jail.  Since that's
# owned by the special fossil user, it drops root privileges for that