From cc5a6477f8afa4dfdbe97329c5818e14eaebedca Mon Sep 17 00:00:00 2001 From: shahidhk Date: Mon, 25 Jun 2018 11:31:13 +0530 Subject: [PATCH 1/3] fix #78, handle permissions for docker.sock in a better way --- build/gitkubed/start_sshd.sh | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/build/gitkubed/start_sshd.sh b/build/gitkubed/start_sshd.sh index 63fab5ed..bfdb3f4c 100644 --- a/build/gitkubed/start_sshd.sh +++ b/build/gitkubed/start_sshd.sh @@ -1,12 +1,16 @@ #!/usr/bin/env sh set -e -export HOST_GROUP_ID=$(cat /hasura-data/group | grep '^docker' | cut -d: -f3) -GROUP_WITH_HOST_GROUP_ID=$(getent group $HOST_GROUP_ID | cut -d: -f1) -if [ -z "${GROUP_WITH_HOST_GROUP_ID}" ]; then - # Find the group id from the host and use it to create docker group - groupadd -g $HOST_GROUP_ID docker - GROUP_WITH_HOST_GROUP_ID="docker" +# find the docker socket owner group id +DOCKER_SOCK_OWNER_GROUP_ID=$(stat -c '%g' /var/run/docker.sock) +# check the container's groups to see if it has a group with the same id +DOCKER_SOCK_OWNER_GROUP=$(getent group "$DOCKER_SOCK_OWNER_GROUP_ID" | cut -d: -f1) +if [ -z "${DOCKER_SOCK_OWNER_GROUP}" ]; then + # there is no group in the container with the given group id + # set owner group as 'docker' + DOCKER_SOCK_OWNER_GROUP="docker" + # create a new group with the same group id + groupadd -g "$DOCKER_SOCK_OWNER_GROUP_ID" "$DOCKER_SOCK_OWNER_GROUP" fi if [ -f /sshd-conf/remotes.json ]; then @@ -29,7 +33,7 @@ if [ "$GIT_REMOTES_CONF" != "null" ]; then chown -R $repo:$repo $HOME_DIR/git-shell-commands chmod +x $HOME_DIR/git-shell-commands/no-interactive-login - usermod -aG $GROUP_WITH_HOST_GROUP_ID $repo + usermod -aG "$DOCKER_SOCK_OWNER_GROUP" "$repo" # Create the .ssh directory if it does not exist mkdir -p $HOME_DIR/.ssh From c610ecc9a84ad00b32dba647b06a11cf6c3d1dc2 Mon Sep 17 00:00:00 2001 From: Shahidh Date: Fri, 27 Jul 2018 10:33:02 +0530 Subject: [PATCH 2/3] remove hostkey --- build/gitkubed/sshd_config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/gitkubed/sshd_config b/build/gitkubed/sshd_config index a10d3959..1e3dd41e 100644 --- a/build/gitkubed/sshd_config +++ b/build/gitkubed/sshd_config @@ -9,7 +9,7 @@ Port 22 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key +# HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security From 5e317e50aecd54143d6a4c304993a2ab8b1f2330 Mon Sep 17 00:00:00 2001 From: Shahidh Date: Fri, 27 Jul 2018 11:26:12 +0530 Subject: [PATCH 3/3] remove deprecated config --- build/gitkubed/sshd_config | 7 ------- 1 file changed, 7 deletions(-) diff --git a/build/gitkubed/sshd_config b/build/gitkubed/sshd_config index 1e3dd41e..513dc15f 100644 --- a/build/gitkubed/sshd_config +++ b/build/gitkubed/sshd_config @@ -15,10 +15,6 @@ HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 1024 - # Logging SyslogFacility AUTH LogLevel INFO @@ -28,14 +24,11 @@ LoginGraceTime 120 PermitRootLogin No StrictModes yes -RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication