[feature] add warning about UID/GID missmatch for docker socket, thanks to @broetchenrackete36, @johnatank

11notes · 11notes · commit 934cd2c4b5a3 · 2025-03-26T11:21:28.000+01:00
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -250,6 +250,12 @@ jobs:
         if: env.WORKFLOW_CREATE_RELEASE == 'true'  && steps.git-log.outcome == 'success'
         id: git-release
         uses: 11notes/action-docker-release@v1
+        # WHY IS THIS ACTION NOT SHA256 PINNED? SECURITY MUCH?!?!?!
+        # ---------------------------------------------------------------------------------
+        # the next step "github / release / create" creates a new release based on the code
+        # in the repo. This code is not modified and can't be modified by this action.
+        # It does create the markdown for the release, which could be abused, but to what
+        # extend? Adding a link to a malicious repo?
         with:
           git_log: ${{ steps.git-log.outputs.commits }}
 
@@ -267,6 +273,31 @@ jobs:
 
 
 
+
+      # LICENSE
+      - name: license / update year
+        continue-on-error: true
+        uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
+        with:
+          script: |
+            const { existsSync, readFileSync } = require('node:fs');
+            const { resolve } = require('node:path');
+            const file = 'LICENSE';
+            try{
+              const path = resolve(file );
+              if(existsSync(path)){
+                let license = readFileSync(file).toString();
+                license = license.replace(/Copyright \(c\) \d{4} /i, `Copyright (c) ${new Date().getFullYear()} `)
+              }else{
+                throw new Error(`file ${file} does not exist`);
+              }
+            }catch(e){
+              core.setFailed(e);
+            }
+
+
+
+
       # README
       - name: github / checkout master
         continue-on-error: true
@@ -278,6 +309,13 @@ jobs:
         continue-on-error: true
         if: env.WORKFLOW_CREATE_README == 'true' && steps.docker-build.outcome == 'success'
         uses: 11notes/action-docker-readme@v1
+        # WHY IS THIS ACTION NOT SHA256 PINNED? SECURITY MUCH?!?!?!
+        # ---------------------------------------------------------------------------------
+        # the next step "github / commit & push" only adds the README and LICENSE as well as 
+        # compose.yaml to the repository. This does not pose a security risk if this action
+        # would be compromised. The code of the app can't be changed by this action. Since
+        # only the files mentioned are commited to the repo. Sure, someone could make a bad
+        # compose.yaml, but since this serves only as an example I see no harm in that.
         with:
           sarif_file: ${{ steps.grype.outputs.sarif }}
           build_output_metadata: ${{ steps.docker-build.outputs.metadata }}
@@ -292,6 +330,9 @@ jobs:
           if [ -f compose.yaml ]; then
             git add compose.yaml
           fi
+          if [ -f LICENSE ]; then
+            git add LICENSE
+          fi
           git commit -m "auto update README.md"
           git push
 
@@ -307,7 +348,8 @@ jobs:
           provider: dockerhub
           short_description: ${{ env.DOCKER_IMAGE_DESCRIPTION }}
           readme_file: 'README_DOCKER.md'
-      
+
+
 
 
       # REPOSITORY SETTINGS
diff --git a/arch.dockerfile b/arch.dockerfile
@@ -48,5 +48,4 @@
   HEALTHCHECK --interval=5s --timeout=2s CMD ["/socket-proxy", "--healthcheck"]
 
 # :: Start
-  USER root
   ENTRYPOINT ["/socket-proxy"]
diff --git a/compose.yaml b/compose.yaml
@@ -1,7 +1,8 @@
 name: "traefik" # this is a compose example for Traefik
 services:
   socket-proxy:
-    image: "11notes/socket-proxy:2.0.0"
+    image: "11notes/socket-proxy:2.1.0"
+    user: "0:0" # make sure to use the same UID/GID as the owner of your docker socket!
     volumes:
       - "/run/docker.sock:/run/docker.sock:ro" # mount host docker socket, the :ro does not mean read-only for the socket, just for the actual file
       - "socket-proxy:/run/proxy" # this socket is run as 1000:1000, not as root!
diff --git a/go/socket-proxy/main.go b/go/socket-proxy/main.go
@@ -49,6 +49,23 @@ func prepareFileSystemDropPrivileges(){
 		log.Fatalf("could not chown folder %s", proxyVolume, err)
 	}
 
+	// check docker socket permissions
+	stat, err := os.Stat(os.Getenv("SOCKET_PROXY_DOCKER_SOCKET"))
+	if err != nil {
+		log.Fatalf("could not evaluate ownership of docker socket, permission issue %v", err)
+	}
+	if ownership, ok := stat.Sys().(*syscall.Stat_t); !ok {
+		log.Fatalf("could not evaluate ownership of docker socket, permission issue %v", err)
+	}else{
+		if(int(ownership.Uid) != os.Getuid()){
+			log.Fatalf("can’t access docker socket as UID %d owned by UID %d\nplease change the user setting in your compose to the correct UID/GID pair like this:\nservices:\n  socket-proxy:\n    user: \"%d:%d\"", os.Getuid(), ownership.Uid, ownership.Uid, ownership.Gid)
+		}else{
+			if(int(ownership.Gid) != os.Getgid()){
+				log.Fatalf("can’t access docker socket as GID %d owned by GID %d\nplease change the user setting in your compose to the correct UID/GID pair like this:\nservices:\n  socket-proxy:\n    user: \"%d:%d\"", os.Getgid(), ownership.Gid, os.Getuid(), ownership.Gid)
+			}
+		}
+	}
+
 	// drop privileges since only the proxy must access the socket as root and nothing else
 	if err := syscall.Setgid(proxyGID); err != nil {
 		log.Fatalf("could not set GID to %d %v", proxyGID, err)
@@ -106,6 +123,7 @@ func main(){
 		}
 		os.Exit(0)
 	}else{
+		log.Println("starting ...")
 		// setup signal handler
 		signals()
 
@@ -114,27 +132,28 @@ func main(){
 		proxy = httputil.NewSingleHostReverseProxy(localhost)
 		proxy.Transport = &http.Transport{
 			DialContext: func(_ context.Context, _, _ string)(net.Conn, error){
+				log.Println("starting proxy to docker socket ...")
 				return net.Dial("unix", os.Getenv("SOCKET_PROXY_DOCKER_SOCKET"))
 			},
 		}
 
 		// prepare the file system and drop privileges to UID/GID
 		prepareFileSystemDropPrivileges()
 
-		wg.Add(2)
-
 		// setup unix to socket proxy
-		serverUnix := &http.Server{
+		unixServer := &http.Server{
 			Handler: http.HandlerFunc(httpProxy),
 		}
 		os.Remove(socketProxy)
 		unix, err := net.Listen("unix", socketProxy)
 		if err != nil {
 			log.Fatalf("could not start unix socket %v", err)
 		}
+		wg.Add(1)
 		go func(){
 			defer wg.Done()
-			if err := serverUnix.Serve(unix); err != nil {
+			log.Println("starting proxy UNIX socket ...")
+			if err := unixServer.Serve(unix); err != nil {
 				log.Fatalf("could not start unix socket %v", err)
 			}
 		}()
@@ -148,8 +167,10 @@ func main(){
 		if err != nil {
 			log.Fatalf("could not start tcp socket %v", err)
 		}
+		wg.Add(1)
 		go func(){
 			defer wg.Done()
+			log.Println("starting proxy TCP socket ...")
 			if err := httpServer.Serve(tcp); err != nil {
 				log.Fatalf("could not start tcp socket %v", err)
 			}
diff --git a/project.md b/project.md
@@ -1,4 +1,12 @@
-${{ content_synopsis }} This image will run a proxy to access your docker socket as read-only. The exposed proxy socket is run as 1000:1000, not as root, although the image starts the proxy process as root to interact with the actual docker socket. There is also a TCP endpoint started at 2375 that will also proxy to the actual docker socket if needed. It is not exposed by default and must be exposed via using ```- "2375:2375/tcp"``` in your compose.
+${{ content_synopsis }} This image will run a proxy to access your docker socket as read-only. The exposed proxy socket is run as 1000:1000, not as root, although the image starts the proxy process as root to interact with the actual docker socket. There is also a TCP endpoint started at 2375 that will also proxy to the actual docker socket if needed. It is not exposed by default and must be exposed via using ```- "2375:2375/tcp"``` in your compose. Make sure that the docker socket is accessible by the ```user:``` specification in your compose, if the UID/GID are not correct, the image will print out the correct UID/GID for you to set:
+
+```shell
+socket-proxy-1  | 2025/03/26 10:16:33 can’t access docker socket as GID 0 owned by GID 991
+socket-proxy-1  | please change the user setting in your compose to the correct UID/GID pair like this:
+socket-proxy-1  | services:
+socket-proxy-1  |   socket-proxy:
+socket-proxy-1  |     user: "0:991"
+```
 
 ${{ content_uvp }} Good question! All the other images on the market that do exactly the same don’t do or offer these options:
 
