Plugin crons and core systemd services stop working with this plugin installed #36
Description
Description of problem
After installing this plugin I noticed that all my backup crons created from the dokku-postgres/dokku-redis plugins and the systemd dokku-redeploy/dokku-retire services from dokku itself stopped working.
Steps to Reproduce
- Install this plugin
- Manually start dokku-retire with
systemctl start dokku-retire - Systemd error
Actual Results
Error from journalctl logs for dokku-retire service :
! User default does not have permissions to run ps:retire
! Access denied
Expected Results
No error
Environment Information
dokku report output
See report
-----> uname: Linux hr-karmeliet 5.19.3-arch1-1 #1 SMP PREEMPT_DYNAMIC Sun, 21 Aug 2022 18:55:22 +0000 x86_64 GNU/Linux
-----> memory:
total used free shared buff/cache available
Mem: 31929 7913 3768 461 20247 23100
Swap: 32006 333 31672
-----> docker version:
Client:
Version: 20.10.19
API version: 1.41
Go version: go1.19.2
Git commit: d85ef84533
Built: Sat Oct 15 20:20:02 2022
OS/Arch: linux/amd64
Context: default
Experimental: true
Server:
Engine:
Version: 20.10.17
API version: 1.41 (minimum version 1.12)
Go version: go1.18.3
Git commit: a89b84221c
Built: Sat Jun 11 23:27:14 2022
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.6.8
GitCommit: 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6.m
runc:
Version: 1.1.4
GitCommit:
docker-init:
Version: 0.19.0
GitCommit: de40ad0
-----> docker daemon info:
Client:
Context: default
Debug Mode: true
Plugins:
compose: Docker Compose (Docker Inc., 2.11.2)
Server:
Containers: 24
Running: 23
Paused: 0
Stopped: 1
Images: 135
Server Version: 20.10.17
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: false
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runtime.v1.linux runc io.containerd.runc.v2
Default Runtime: runc
Init Binary: docker-init
containerd version: 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6.m
runc version:
init version: de40ad0
Security Options:
seccomp
Profile: default
cgroupns
Kernel Version: 5.19.3-arch1-1
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 31.18GiB
Name: hr-karmeliet
ID: IUET:JOT3:NGWO:UMSV:JCMN:3ZMO:BDF3:E7TQ:TIY4:JT3D:FSLF:M7VP
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
-----> git version: git version 2.38.0
-----> sigil version: 0.9.0build+bc921b7
-----> herokuish version:
herokuish: 0.5.37
buildpacks:
heroku-buildpack-multi v1.2.0
heroku-buildpack-ruby v244
heroku-buildpack-nodejs v198
heroku-buildpack-clojure v90
heroku-buildpack-python v214
heroku-buildpack-java v72
heroku-buildpack-gradle v38
heroku-buildpack-scala v94
heroku-buildpack-play v26
heroku-buildpack-php v223
heroku-buildpack-go v166
heroku-buildpack-nginx v16
buildpack-null v3
-----> dokku version: dokku version 0.28.1
-----> plugn version: plugn: 0.12.0build+3a27594
-----> dokku plugins:
00_dokku-standard 0.28.1 enabled dokku core standard plugin
20_events 0.28.1 enabled dokku core events logging plugin
acl 1.5.1 enabled dokku plugin that can be used to restrict push privileges for app to certain users
app-json 0.28.1 enabled dokku core app-json plugin
apps 0.28.1 enabled dokku core apps plugin
apt 0.12.0 enabled Inject deb packages into dokku based on files in project
builder 0.28.1 enabled dokku core builder plugin
builder-dockerfile 0.28.1 enabled dokku core builder-dockerfile plugin
builder-herokuish 0.28.1 enabled dokku core builder-herokuish plugin
builder-lambda 0.27.0 enabled dokku core builder-lambda plugin
builder-null 0.28.1 enabled dokku core builder-null plugin
builder-pack 0.28.1 enabled dokku core builder-pack plugin
buildpacks 0.28.1 enabled dokku core buildpacks plugin
caddy-vhosts 0.28.1 enabled dokku core caddy-vhosts plugin
certs 0.28.1 enabled dokku core certificate management plugin
checks 0.28.1 enabled dokku core checks plugin
common 0.28.1 enabled dokku core common plugin
config 0.28.1 enabled dokku core config plugin
cron 0.28.1 enabled dokku core cron plugin
docker-options 0.28.1 enabled dokku core docker-options plugin
domains 0.28.1 enabled dokku core domains plugin
elasticsearch 1.24.0 enabled dokku elasticsearch service plugin
enter 0.28.1 enabled dokku core enter plugin
git 0.28.1 enabled dokku core git plugin
letsencrypt 0.18.1 enabled Automated installation of let's encrypt TLS certificates
logs 0.28.1 enabled dokku core logs plugin
logspout 0.4.0 enabled sends dokku app stdout to a logging service
network 0.28.1 enabled dokku core network plugin
nginx-vhosts 0.28.1 enabled dokku core nginx-vhosts plugin
plugin 0.28.1 enabled dokku core plugin plugin
postgres 1.24.0 enabled dokku postgres service plugin
proxy 0.28.1 enabled dokku core proxy plugin
ps 0.28.1 enabled dokku core ps plugin
redirect 0.7.1 enabled Plugin for managing application redirects
redis 1.24.0 enabled dokku redis service plugin
registry 0.28.1 enabled dokku core registry plugin
repo 0.28.1 enabled dokku core repo plugin
resource 0.28.1 enabled dokku core resource plugin
run 0.28.1 enabled dokku core run plugin
scheduler 0.28.1 enabled dokku core scheduler plugin
scheduler-docker-local 0.28.1 enabled dokku core scheduler-docker-local plugin
scheduler-null 0.28.1 enabled dokku core scheduler-null plugin
shell 0.28.1 enabled dokku core shell plugin
ssh-keys 0.28.1 enabled dokku core ssh-keys plugin
storage 0.28.1 enabled dokku core storage plugin
trace 0.28.1 enabled dokku core trace plugin
traefik-vhosts 0.28.1 enabled dokku core traefik-vhosts plugin
dokku acl:report output
=====> example acl information
Acl allowed users:
Acl global allow command line:
Acl global super user: d1ceward
Acl global user commands: help version
Acl global per app commands: logs urls ps:rebuild ps:restart ps:stop ps:start
ls -lah ~dokku/.dokkurc/ output
total 16K
drwxr-xr-x 2 dokku dokku 4.0K Oct 17 14:54 .
drwx------ 13 dokku dokku 4.0K Sep 7 11:44 ..
-rw-r--r-- 1 dokku dokku 384 Oct 17 14:54 acl
-rw-r--r-- 1 dokku dokku 22 Oct 14 16:13 DOKKU_EVENTS
How (deb/make/rpm) and where (AWS, VirtualBox, physical, etc.) was Dokku installed?:
Installed from AUR (Arch linux User Repository) on a physical machine.
PS: I'm the maintainer of the AUR package for dokku
Additional information
Output of failing Dokku commands after running dokku trace on
See output
+ [[ ps:retire == \v\e\r\s\i\o\n ]]
+ for allowed in $DOKKU_ACL_PER_APP_COMMANDS
+ [[ ps:retire == \l\o\g\s ]]
+ for allowed in $DOKKU_ACL_PER_APP_COMMANDS
+ [[ ps:retire == \u\r\l\s ]]
+ for allowed in $DOKKU_ACL_PER_APP_COMMANDS
+ [[ ps:retire == \p\s\:\r\e\b\u\i\l\d ]]
+ for allowed in $DOKKU_ACL_PER_APP_COMMANDS
+ [[ ps:retire == \p\s\:\r\e\s\t\a\r\t ]]
+ for allowed in $DOKKU_ACL_PER_APP_COMMANDS
+ [[ ps:retire == \p\s\:\s\t\o\p ]]
+ for allowed in $DOKKU_ACL_PER_APP_COMMANDS
+ [[ ps:retire == \p\s\:\s\t\a\r\t ]]
+ for allowed in $DOKKU_ACL_LINK_COMMANDS
+ [[ ps:retire == \r\e\d\i\s\:\l\o\g\s ]]
+ dokku_log_fail 'User default does not have permissions to run ps:retire'
+ declare 'desc=log fail formatter'
+ echo ' ! User default does not have permissions to run ps:retire'
! User default does not have permissions to run ps:retire
+ exit 1
+ return 1
+ dokku_log_fail 'Access denied'
+ declare 'desc=log fail formatter'
+ echo ' ! Access denied'
! Access denied
+ exit 1
Workaround
I noticed that when the commands were launched by systemd or crons the variables $NAME, $SSH_NAME and $SSH_USER were empty with the variable $USER equal to "dokku" but not in other cases (command launched by SSH).
So I added "dokku" in the variable $DOKKU_SUPER_USER and added a piece of code in /home/dokku/.dokkurc/acl that only in this case fill the variable $NAME by "dokku"
if [[ $USER == "dokku" && -z $NAME && -z $SSH_USER && -z $SSH_NAME ]]; then
export NAME="dokku"
fi
export DOKKU_SUPER_USER="dokku"
But I'm not sure if it opens the door to exploits and prevents another user from becoming a superuser.
Seems to be linked to #22