AkkomaGang/akkoma
AkkomaGang
/
akkoma
12
63
Fork 83
Code Issues 167 Pull Requests 14 Packages Projects 2 Releases 13 Wiki Activity

Check permissions on configuration file, not symlink #687

Merged
floatingghost merged 1 commits from erincandescent/akkoma:config-stat-symlink into develop 2024-02-16 12:19:09 +00:00
Conversation 1 Commits 1 Files Changed 1 +1 -1
erincandescent commented 2024-02-14 17:46:01 +00:00
Contributor
Copy Link

When deploying something on Kubernetes, the idiomatic way to inject a configuration file into the container is to mount a ConfigMap. However, when mounted, a ConfigMap contains symlinks which point at the actual files; something along the lines of

akkoma.exs -> ..{something}/akkoma.exs

(No I don't know why Kuberntes does this. I'm sure it has its reasons, maybe related to ConfigMap updates)

Now, the funny thing about symlinks is that on most Unixes (except macOS and FreeBSD with a specific mount option), symlinks don't have permissions of their own. In fact, they're hardcoded to return most bits enabled when responding to a lstat(2) call; all access controls are done on the target file instead.

So use of lstat(2) here results in a false positive; we should use stat(2) instead, which follows the symlink.

(My current work around is to copy the config file into a tmpfs, which is deeply ugly)

Some discussion here

When deploying something on Kubernetes, the idiomatic way to inject a configuration file into the container is to mount a ConfigMap. However, when mounted, a ConfigMap contains symlinks which point at the actual files; something along the lines of ``` akkoma.exs -> ..{something}/akkoma.exs ``` (No I don't know why Kuberntes does this. I'm sure it has its reasons, maybe related to ConfigMap updates) Now, the funny thing about symlinks is that on most Unixes (except macOS and FreeBSD with a specific mount option), symlinks don't have permissions of their own. In fact, *they're hardcoded to return most bits enabled* when responding to a `lstat(2)` call; all access controls are done on the target file instead. So use of `lstat(2)` here results in a false positive; we should use `stat(2)` instead, which follows the symlink. (My current work around is to copy the config file into a tmpfs, which is deeply ugly) [Some discussion here](https://akko.erincandescent.net/notice/AesGkEexpVU8GGDaO8)
erincandescent added 1 commit 2024-02-14 17:46:01 +00:00
ci/woodpecker/pr/lint Pipeline was successful Details
ci/woodpecker/pr/test Pipeline was successful Details
ci/woodpecker/pr/build-amd64 unknown status Details
ci/woodpecker/pr/build-arm64 unknown status Details
ci/woodpecker/pr/docs unknown status Details
cb7eaccecb Config: Check the permissions of the linked file instead of the symlink↵
floatingghost commented 2024-02-16 12:19:02 +00:00
Owner
Copy Link

hm well that's some unusual interaction

but seems good to me(tm)

hm well that's some unusual interaction but seems good to me(tm)
floatingghost merged commit a905223837 into develop 2024-02-16 12:19:09 +00:00
floatingghost deleted branch config-stat-symlink 2024-02-16 12:19:09 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
approved, awaiting change

   
bug

Something is not working

  
configuration

This requires config changes

  
documentation

This is about human-readable docs

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
extremely low priority

   
feature request

Something new?

  
Fix it yourself

Support has been attempted

  
help wanted

Need some help

  
invalid

Something is wrong

  
mastodon_api

   
needs docs

   
needs tests

   
not a bug

   
planned

   
pleroma_api

   
privacy

   
question

More information is needed

  
static_fe

   
triage

   
wontfix

This won't be fixed

No Label
approved, awaiting change
bug
configuration
documentation
duplicate
enhancement
extremely low priority
feature request
Fix it yourself
help wanted
invalid
mastodon_api
needs docs
needs tests
not a bug
planned
pleroma_api
privacy
question
static_fe
triage
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#687
No description provided.
Delete Branch "erincandescent/akkoma:config-stat-symlink"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?