Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] non-privileged user in Docker build #684

Open
piramiday opened this issue Jul 23, 2020 · 7 comments
Open

[Feature] non-privileged user in Docker build #684

piramiday opened this issue Jul 23, 2020 · 7 comments
Labels
bounty This issue has a bounty on it in the OpenCollective feature request

Comments

@piramiday
Copy link

Is your feature request related to a problem? Please describe.
at present, stash is running as root in the Docker container.

Describe the solution you'd like
ideally, a new non-privileged user should be created to execute stash, so that root permissions are dropped asap.

a non-root user for stash would agree with best practices and provide tighter security.
if possible, it would be great to be able to control both UID and GID of any created file.
@virusperfect
Copy link

I would love to see that feature as well. Either by allowing the --user option or by having environment variables PUID and PGID.

@jgramling17
Copy link

Can be potentially solved by the following:

services:
  stash:
    command: stash --config /config/config.yml
    ...
    environment:
      - USER=user
      - HOME=/config
    ...
    user: 1000:1000
    ...

I used this and it worked for a lot of use cases. There are some things that don't work when stash uses/edits system files that are owned by root.

Would love to see native support for this.

@virusperfect
Copy link

I am using hotio/stash and it works great with the PUID and PGID variables.

@DogmaDragon
Copy link
Collaborator

I am using hotio/stash and it works great with the PUID and PGID variables.

While that's an option, it's known to cause issues from time to time so use at your own risk.

@feederbox826 feederbox826 mentioned this issue Nov 21, 2023
Open
@ikmckenz
Copy link
Contributor

ikmckenz commented Jan 4, 2024

Added a $20 bounty to this issue on OpenCollective.

@WithoutPants WithoutPants added the bounty This issue has a bounty on it in the OpenCollective label Jan 8, 2024
@WithoutPants
Copy link
Collaborator

$20 bounty assigned (txn number 725161)

@jgramling17
Copy link

I believe this causes issues with any scrapers that use py_common.

I recieved this in the logs during an attempted scrape:

scrapeSceneURL: input: scrapeSceneURL could not unmarshal json from script output: EOF
could not unmarshal json from script output: EOF
[Scrape / ManyVids] You need to install the python modules mentioned in requirements.txt
[Scrape / ManyVids] If you have pip (normally installed with python), run this command in a terminal from the directory the scraper is located: pip install -r requirements.txt

If you try and run the pip install -r requirements.txt command like it suggests
you will receive this error:
WARNING: The directory '/.cache/pip' or its parent directory is not owned or is not writable by the current user. The cache has been disabled. Check the permissions and owner of that directory. If executing pip with sudo, you should use sudo's -H flag.

TL;DR I think stash can't create the '/.cache/pip' directory without being root

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bounty This issue has a bounty on it in the OpenCollective feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@ikmckenz @jgramling17 @piramiday @WithoutPants @virusperfect @DogmaDragon