Skip to content

File System Premissions #4632

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

File System Premissions #4632

wants to merge 1 commit into from

Conversation

mcpattrsn
Copy link

All private key and custom certificate files are now written with 0600 permissions. Ensuring consistency with sensitive information.

@mcpattrsn
File System Premissions
a6fc271 
All private key and custom certificate files are now written with 0600 permissions. Ensuring consistency with sensitive information.
@nginxproxymanagerci
Copy link

CI Error:

/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
certbot-node: Pulling from nginxproxymanager/nginx-full
Digest: sha256:3cdbaf1f3e0206689c91098a9147a4ccf2a1a563ab42dbf662a068b186e9832d
Status: Image is up to date for nginxproxymanager/nginx-full:certbot-node
docker.io/nginxproxymanager/nginx-full:certbot-node
�[1;34m❯ �[1;36mTesting backend ...�[0m
yarn install v1.22.22
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
warning " > @apidevtools/[email protected]" has unmet peer dependency "openapi-types@>=7".
[4/4] Building fresh packages...
Done in 37.21s.
yarn run v1.22.22
$ /app/node_modules/.bin/eslint .
Done in 0.74s.
�[1;34m❯ �[1;32mTesting Complete�[0m
�[1;34m❯ �[1;36mBuilding ...�[0m
#0 building with "default" instance using docker driver

#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 2.35kB done
#1 DONE 0.0s

#2 [internal] load metadata for docker.io/letsencrypt/pebble:latest
#2 DONE 1.4s

#3 [internal] load metadata for docker.io/nginxproxymanager/nginx-full:certbot-node
#3 DONE 1.4s

#4 [internal] load metadata for docker.io/nginxproxymanager/testca:latest
#4 DONE 1.4s

#5 [internal] load .dockerignore
#5 transferring context: 2B done
#5 DONE 0.0s

#6 [stage-2  1/13] FROM docker.io/nginxproxymanager/nginx-full:certbot-node@sha256:3cdbaf1f3e0206689c91098a9147a4ccf2a1a563ab42dbf662a068b186e9832d
#6 resolve docker.io/nginxproxymanager/nginx-full:certbot-node@sha256:3cdbaf1f3e0206689c91098a9147a4ccf2a1a563ab42dbf662a068b186e9832d done
#6 DONE 0.1s

#7 [stage-2  2/13] RUN echo "fs.file-max = 65535" > /etc/sysctl.conf 	&& apt-get update 	&& apt-get install -y --no-install-recommends jq logrotate 	&& apt-get clean 	&& rm -rf /var/lib/apt/lists/*
#7 ...

#8 [internal] load build context
#8 transferring context: 7.76MB 0.1s done
#8 DONE 0.1s

#9 [testca 1/1] FROM docker.io/nginxproxymanager/testca:latest@sha256:e4ddbcecaad278c32d743bbc2561cbbf630b180ec892b264e2f3d0dd1ccc9825
#9 resolve docker.io/nginxproxymanager/testca:latest@sha256:e4ddbcecaad278c32d743bbc2561cbbf630b180ec892b264e2f3d0dd1ccc9825 0.0s done
#9 sha256:e4ddbcecaad278c32d743bbc2561cbbf630b180ec892b264e2f3d0dd1ccc9825 990B / 990B done
#9 sha256:0670db9715a8b316a642fef01af1d624cc7fcace73104fc340d03d90949c6fd7 4.90MB / 4.90MB 0.3s done
#9 sha256:4a071de10b00383e7898444554ea2f4cff773b75e4d4731c3c710392366b0608 2.67kB / 2.67kB done
#9 sha256:c71d090ada31f639dae02f942bcff98aeb293cd7716b33248f95d98581733429 8.16kB / 8.16kB done
#9 sha256:8921db27df2831fa6eaa85321205a2470c669b855f3ec95d5a3c2b46de0442c9 3.37MB / 3.37MB 0.1s done
#9 extracting sha256:8921db27df2831fa6eaa85321205a2470c669b855f3ec95d5a3c2b46de0442c9 0.1s done
#9 sha256:6da8cff2ab8b03d779f901005b7105535da468b74d8312c9423fb92ca5bf5bd7 11.54MB / 11.54MB 0.3s done
#9 extracting sha256:0670db9715a8b316a642fef01af1d624cc7fcace73104fc340d03d90949c6fd7
#9 sha256:fe33f2ec4fc5b184aad3dd8307abf843cebd01e3233ca6da2d99b963d887e9d3 0B / 6.69MB 0.3s
#9 sha256:29a33b00fed07d7a3f9275422f37a913a0b42d9850ccfb68156ddd1d0369246f 0B / 12.21MB 0.3s
#9 ...

#10 [pebbleca 1/1] FROM docker.io/letsencrypt/pebble:latest@sha256:fc5a537bf8fbc7cc63aa24ec3142283aa9b6ba54529f86eb8ff31fbde7c5b258
#10 resolve docker.io/letsencrypt/pebble:latest@sha256:fc5a537bf8fbc7cc63aa24ec3142283aa9b6ba54529f86eb8ff31fbde7c5b258 done
#10 extracting sha256:486039affc0ad0f17f473efe8fb25c947515a8929198879d1e64210ef142372f 0.1s done
#10 sha256:fc5a537bf8fbc7cc63aa24ec3142283aa9b6ba54529f86eb8ff31fbde7c5b258 1.16kB / 1.16kB done
#10 sha256:7213864a87a0d58cd6f4e25a8a782209cb1017b52790ac885bcdf319676d1a59 2.65kB / 2.65kB done
#10 sha256:486039affc0ad0f17f473efe8fb25c947515a8929198879d1e64210ef142372f 2.21MB / 2.21MB 0.0s done
#10 sha256:6af14ad7d163168b97c2e5d1777436394a04d5ef75b06bad055be88b8cffb584 1.58MB / 1.58MB 0.1s done
#10 sha256:8efc02cf298aee75e88bf479ded226f369d14819af67ec1ae0a570508ffa71c5 5.37MB / 5.37MB 0.1s done
#10 sha256:53206f87bf7701c9b971734dc7c21bb9284ba147e7de1d4c40e890b84ca371ff 8.52kB / 8.52kB 0.1s done
#10 extracting sha256:6af14ad7d163168b97c2e5d1777436394a04d5ef75b06bad055be88b8cffb584 0.1s done
#10 extracting sha256:8efc02cf298aee75e88bf479ded226f369d14819af67ec1ae0a570508ffa71c5 0.1s done
#10 extracting sha256:53206f87bf7701c9b971734dc7c21bb9284ba147e7de1d4c40e890b84ca371ff done
#10 DONE 0.4s

#9 [testca 1/1] FROM docker.io/nginxproxymanager/testca:latest@sha256:e4ddbcecaad278c32d743bbc2561cbbf630b180ec892b264e2f3d0dd1ccc9825
#9 sha256:fe33f2ec4fc5b184aad3dd8307abf843cebd01e3233ca6da2d99b963d887e9d3 1.05MB / 6.69MB 0.4s
#9 sha256:29a33b00fed07d7a3f9275422f37a913a0b42d9850ccfb68156ddd1d0369246f 10.49MB / 12.21MB 0.4s
#9 sha256:fe33f2ec4fc5b184aad3dd8307abf843cebd01e3233ca6da2d99b963d887e9d3 3.15MB / 6.69MB 0.5s
#9 sha256:b7d4789d852064ebf61c8589f9a13e53390524f8dda43864d36bbfdd8363e750 4.19MB / 12.30MB 0.5s
#9 sha256:fe33f2ec4fc5b184aad3dd8307abf843cebd01e3233ca6da2d99b963d887e9d3 6.69MB / 6.69MB 0.6s done
#9 sha256:b7d4789d852064ebf61c8589f9a13e53390524f8dda43864d36bbfdd8363e750 12.30MB / 12.30MB 0.6s done
#9 sha256:81ee1134816c917968d1534262c5066b42f9d62a7b05be82e7b33c20d07fc753 2.87kB / 2.87kB 0.6s done
#9 sha256:a84b6ba190dd1d5400fff935d69fe387b887febb8b0c064dfc49a3ce9f925c55 51.07kB / 51.07kB 0.6s
#9 sha256:1548069acf510946fd1a6ef4258005191af432fa551056f3b87860d938cc4f2f 1.16kB / 1.16kB 0.6s done
#9 extracting sha256:0670db9715a8b316a642fef01af1d624cc7fcace73104fc340d03d90949c6fd7 0.4s done
#9 sha256:a84b6ba190dd1d5400fff935d69fe387b887febb8b0c064dfc49a3ce9f925c55 51.07kB / 51.07kB 0.6s done
#9 sha256:0ed75c6b32e822b75139354a8de6de9fd4bc2ceedd39a85b2554cae17a6edb7f 122B / 122B 0.6s done
#9 sha256:8013759f7522b8b1357b2de70bc0629a90b3714569a359a17f1ef1dc520c10ef 3.91MB / 3.91MB 0.6s done
#9 extracting sha256:6da8cff2ab8b03d779f901005b7105535da468b74d8312c9423fb92ca5bf5bd7 0.1s
#9 extracting sha256:6da8cff2ab8b03d779f901005b7105535da468b74d8312c9423fb92ca5bf5bd7 0.1s done
#9 ...

#7 [stage-2  2/13] RUN echo "fs.file-max = 65535" > /etc/sysctl.conf 	&& apt-get update 	&& apt-get install -y --no-install-recommends jq logrotate 	&& apt-get clean 	&& rm -rf /var/lib/apt/lists/*
#7 0.419 Get:1 https://deb.nodesource.com/node_20.x nodistro InRelease [12.1 kB]
#7 0.446 Get:2 http://deb.debian.org/debian bookworm InRelease [151 kB]
#7 0.446 Get:3 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
#7 0.479 Get:4 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
#7 0.521 Get:5 https://deb.nodesource.com/node_20.x nodistro/main amd64 Packages [12.0 kB]
#7 0.585 Get:6 http://deb.debian.org/debian bookworm/main amd64 Packages [8793 kB]
#7 1.230 Get:7 http://deb.debian.org/debian bookworm-updates/main amd64 Packages [756 B]
#7 1.230 Get:8 http://deb.debian.org/debian-security bookworm-security/main amd64 Packages [270 kB]
#7 1.813 Fetched 9343 kB in 1s (6320 kB/s)
#7 1.813 Reading package lists...
#7 2.115 Reading package lists...
#7 2.418 Building dependency tree...
#7 2.484 Reading state information...
#7 2.554 jq is already the newest version (1.6-2.1).
#7 2.554 The following additional packages will be installed:
#7 2.555   cron cron-daemon-common libpopt0 sensible-utils
#7 2.555 Suggested packages:
#7 2.555   anacron checksecurity bsd-mailx | mailx
#7 2.555 Recommended packages:
#7 2.555   default-mta | mail-transport-agent
#7 2.596 The following NEW packages will be installed:
#7 2.597   cron cron-daemon-common libpopt0 logrotate sensible-utils
#7 2.668 0 upgraded, 5 newly installed, 0 to remove and 42 not upgraded.
#7 2.668 Need to get 210 kB of archives.
#7 2.668 After this operation, 739 kB of additional disk space will be used.
#7 2.668 Get:1 http://deb.debian.org/debian bookworm/main amd64 cron-daemon-common all 3.0pl1-162 [12.7 kB]
#7 2.696 Get:2 http://deb.debian.org/debian bookworm/main amd64 sensible-utils all 0.0.17+nmu1 [19.0 kB]
#7 2.729 Get:3 http://deb.debian.org/debian bookworm/main amd64 cron amd64 3.0pl1-162 [73.1 kB]
#7 2.759 Get:4 http://deb.debian.org/debian bookworm/main amd64 libpopt0 amd64 1.19+dfsg-1 [43.3 kB]
#7 2.765 Get:5 http://deb.debian.org/debian bookworm/main amd64 logrotate amd64 3.21.0-1 [62.1 kB]
#7 2.868 debconf: delaying package configuration, since apt-utils is not installed
#7 2.883 Fetched 210 kB in 0s (1129 kB/s)
#7 2.897 Selecting previously unselected package cron-daemon-common.
#7 2.897 (Reading database ... 
(Reading database ... 5%
(Reading database ... 10%
(Reading database ... 15%
(Reading database ... 20%
(Reading database ... 25%
(Reading database ... 30%
(Reading database ... 35%
(Reading database ... 40%
(Reading database ... 45%
(Reading database ... 50%
(Reading database ... 55%
(Reading database ... 60%
(Reading database ... 65%
(Reading database ... 70%
(Reading database ... 75%
(Reading database ... 80%
(Reading database ... 85%
(Reading database ... 90%
(Reading database ... 95%
(Reading database ... 100%
(Reading database ... 23543 files and directories currently installed.)
#7 2.931 Preparing to unpack .../cron-daemon-common_3.0pl1-162_all.deb ...
#7 2.932 Unpacking cron-daemon-common (3.0pl1-162) ...
#7 2.946 Selecting previously unselected package sensible-utils.
#7 2.948 Preparing to unpack .../sensible-utils_0.0.17+nmu1_all.deb ...
#7 2.949 Unpacking sensible-utils (0.0.17+nmu1) ...
#7 2.965 Setting up cron-daemon-common (3.0pl1-162) ...
#7 2.991 Adding group `crontab' (GID 102) ...
#7 2.999 Done.
#7 3.014 Selecting previously unselected package cron.
#7 3.014 (Reading database ... 
(Reading database ... 5%
(Reading database ... 10%
(Reading database ... 15%
(Reading database ... 20%
(Reading database ... 25%
(Reading database ... 30%
(Reading database ... 35%
(Reading database ... 40%
(Reading database ... 45%
(Reading database ... 50%
(Reading database ... 55%
(Reading database ... 60%
(Reading database ... 65%
(Reading database ... 70%
(Reading database ... 75%
(Reading database ... 80%
(Reading database ... 85%
(Reading database ... 90%
(Reading database ... 95%
(Reading database ... 100%
(Reading database ... 23588 files and directories currently installed.)
#7 3.021 Preparing to unpack .../cron_3.0pl1-162_amd64.deb ...
#7 3.023 Unpacking cron (3.0pl1-162) ...
#7 3.039 Selecting previously unselected package libpopt0:amd64.
#7 3.040 Preparing to unpack .../libpopt0_1.19+dfsg-1_amd64.deb ...
#7 3.042 Unpacking libpopt0:amd64 (1.19+dfsg-1) ...
#7 3.057 Selecting previously unselected package logrotate.
#7 3.059 Preparing to unpack .../logrotate_3.21.0-1_amd64.deb ...
#7 3.059 Unpacking logrotate (3.21.0-1) ...
#7 3.076 Setting up sensible-utils (0.0.17+nmu1) ...
#7 3.077 Setting up libpopt0:amd64 (1.19+dfsg-1) ...
#7 3.079 Setting up cron (3.0pl1-162) ...
#7 3.095 invoke-rc.d: could not determine current runlevel
#7 3.099 invoke-rc.d: policy-rc.d denied execution of start.
#7 3.174 Setting up logrotate (3.21.0-1) ...
#7 3.248 Processing triggers for libc-bin (2.36-9+deb12u10) ...
#7 DONE 3.3s

#11 [stage-2  3/13] COPY docker/scripts/install-s6 /tmp/install-s6
#11 DONE 0.0s

#12 [stage-2  4/13] RUN /tmp/install-s6 "linux/amd64" && rm -f /tmp/install-s6
#12 0.109 �[1;34m❯ �[1;36mInstalling S6-overlay v3.2.0.2 for �[1;33mlinux/amd64 (x86_64)�[0m
#12 0.116   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
#12 0.116                                  Dload  Upload   Total   Spent    Left  Speed
#12 0.116 
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
#12 0.629 
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  6760  100  6760    0     0   5567      0  0:00:01  0:00:01 --:--:--  9657
#12 1.339   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
#12 1.339                                  Dload  Upload   Total   Spent    Left  Speed
#12 1.339 
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
#12 2.569 
 46  641k   46  298k    0     0   242k      0  0:00:02  0:00:01  0:00:01  242k
100  641k  100  641k    0     0   511k      0  0:00:01  0:00:01 --:--:-- 13.4M
#12 2.650 �[1;34m❯ �[1;32mS6-overlay install Complete�[0m
#12 DONE 2.7s

#13 [stage-2  5/13] COPY backend       /app
#13 DONE 0.0s

#9 [testca 1/1] FROM docker.io/nginxproxymanager/testca:latest@sha256:e4ddbcecaad278c32d743bbc2561cbbf630b180ec892b264e2f3d0dd1ccc9825
#9 ...

#14 [stage-2  6/13] COPY frontend/dist /app/frontend
#14 DONE 0.0s

#15 [stage-2  7/13] COPY global        /app/global
#15 DONE 0.0s

#16 [stage-2  8/13] WORKDIR /app
#16 DONE 0.0s

#17 [stage-2  9/13] RUN yarn install 	&& yarn cache clean
#17 0.231 yarn install v1.22.22
#17 0.261 [1/4] Resolving packages...
#17 0.347 [2/4] Fetching packages...
#17 5.199 [3/4] Linking dependencies...
#17 5.199 warning " > @apidevtools/[email protected]" has unmet peer dependency "openapi-types@>=7".
#17 6.264 [4/4] Building fresh packages...
#17 36.47 Done in 36.24s.
#17 36.57 yarn cache v1.22.22
#17 37.13 success Cleared cache.
#17 37.13 Done in 0.56s.
#17 DONE 37.2s

#18 [stage-2 10/13] COPY docker/rootfs /
#18 DONE 0.0s

#19 [stage-2 11/13] COPY --from=pebbleca /test/certs/pebble.minica.pem /etc/ssl/certs/pebble.minica.pem
#19 DONE 0.0s

#9 [testca 1/1] FROM docker.io/nginxproxymanager/testca:latest@sha256:e4ddbcecaad278c32d743bbc2561cbbf630b180ec892b264e2f3d0dd1ccc9825
#9 sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1 0B / 32B 50.2s
#9 ERROR: short read: expected 32 bytes but got 0: unexpected EOF
------
 > [testca 1/1] FROM docker.io/nginxproxymanager/testca:latest@sha256:e4ddbcecaad278c32d743bbc2561cbbf630b180ec892b264e2f3d0dd1ccc9825:
------
Dockerfile:6
--------------------
   4 |     # This file assumes that the frontend has been built using ./scripts/frontend-build
   5 |     
   6 | >>> FROM nginxproxymanager/testca AS testca
   7 |     FROM letsencrypt/pebble AS pebbleca
   8 |     FROM nginxproxymanager/nginx-full:certbot-node
--------------------
ERROR: failed to solve: short read: expected 32 bytes but got 0: unexpected EOF

@mcpattrsn mcpattrsn closed this Jul 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mcpattrsn