The problem with LDAP group in homer-webapp docker container

Question

The problem with LDAP group in homer-webapp docker container

perrfect opened this issue a year ago · 11 comments

Hello.
I have some problems with LDAP_USERGROUP in the homer-webapp docker container in a /usr/local/homer/etc/webapp_config.json config.
When the container has restarted usergroup are changed from "usergroup": "sec_homer_users" to "usergroup": "sec_roots".
Only removing the container helps
This group I forward to the config via docker-compose, as:
"LDAP_USERGROUP=sec_homer_users"

Answer 1 · 2023-05-17T15:14:33.000Z

>>When the container has restarted usergroup is changed from "usergroup": "sec_homer_users" to "usergroup": "sec_roots".
This seems a permission escalation that depends on the container. The restart seems to invalidate the policy.

More information is needed in order to reproduce the issue.

If you find a solution, please share it for the community's benefit.

Thank you

P.S. Don't forget to STAR our project :)

Answer 2 · 2023-07-11T13:59:23.000Z

>>When the container has restarted usergroup is changed from "usergroup": "sec_homer_users" to "usergroup": "sec_roots". This seems a permission escalation that depends on the container. The restart seems to invalidate the policy.

More information is needed in order to reproduce the issue.

If you find a solution, please share it for the community's benefit.

Thank you

P.S. Don't forget to STAR our project :)

Hello.
I've done additional tests and looks like the problem is not in a permissions.
If I set env variable "LDAP_USERGROUP=homer_user" in a docker-compose.yml file and running the file insidehomer-webappcontainer everything is ok.
But when I stop the container and start it again in the container in a config /usr/local/homer/etc/webapp_config.json the parameter "usergroup" looks like - "usergroup": "root",.
Maybe the problem is in this script docker-entrypoint.d/1
@adubovikov Could you please check?

Answer 3 · 2023-07-11T14:53:36.000Z

Maybe the problem is in this script docker-entrypoint.d/1

What would the issue be? The relevant parts of the init script are simply replacing the ENV values in the template, so I see no reason why the json config results should differ between restarts. Are you mounting the config file using a volume on your filesystem?

Answer 4 · 2023-07-11T15:02:28.000Z

What would the issue be? The relevant parts of the init script are simply replacing the ENV values in the template, so I see no reason why the json config results should differ between restarts. Are you mounting the config file using a volume on your filesystem?

No, I don't mount the config file and don't use a volume.
I'm using only only this docker-compose file:

  homer-webapp:
    container_name: homer-webapp
    image: sipcapture/webapp
    environment:
      - "LOKI_HOST=loki"
      - "PROM_HOST=prometheus"
      - "DB_HOST=db"
      - "DB_USER=root"
      - "DB_PASS=homerSeven"
      - "AUTH_TYPE=ldap"
      - "LDAP_BASE=dc=ipa,dc=example,dc=com"
      - "LDAP_HOST=ipa.example.com"
      - "LDAP_PORT=636"
      - "LDAP_SSL=true"
      - "LDAP_SKIP_TLS=false"
      - "LDAP_SKIP_VERIFY=true"
      - "LDAP_ANONYMOUS=false"
      - "LDAP_BIND_DN=uid=homer,cn=users,cn=accounts,dc=ipa,dc=example,dc=com"
      - "LDAP_BIND_PASS=password"
      - "LDAP_USER_FILTER=(\\&(objectClass=person)(uid=%s))"
      - "LDAP_GROUP_FILTER=(member=%s)"
      - "LDAP_USER_DN=uid=%s,cn=users,cn=accounts,dc=ipa,dc=example,dc=com"
      - "LDAP_ADMINGROUP=homer_admins"
      - "LDAP_USERMODE=false"
      - "LDAP_ADMINMODE=false"
      - "LDAP_USERGROUP=homer_users"
      - "HOMER_LOGLEVEL=debug"
    restart: unless-stopped
    ports:
      - "9080:80"
    volumes:
      - ./bootstrap:/app/bootstrap
    depends_on:
      db:
        condition: service_healthy
      grafana:
        condition: service_healthy

You can try and will get the same error.
The problem reproduces on the production server and on a new test server with default configs from github.

Answer 5 · 2023-07-13T13:09:41.000Z

@lmangani
The problem is reproduced on Ubuntu and Rocky Linux.
Steps to reproduce:

Add environment variables as in the comment above to homer7-docker/heplify-server/hom7-prom-all/docker-compose.yml
Run docker compose: sudo docker compose up -d
Go to the homer-webapp container and check a parameter "usergroup" in the /usr/local/homer/etc/webapp_config.json
On this step everything in ok.
Stop the homer-webapp container sudo docker compose stop homer-webapp
Start it again sudo docker compose start homer-webapp
Go to the homer-webapp container sudo docker exec -it homer-webapp /bin/bash and the parameter "usergroup": has the value "usergroup": "roots"

Answer 6 · 2023-07-24T11:22:07.000Z

@lmangani
Did you check it?

Answer 7 · 2023-07-24T11:25:14.000Z

@perrfect no but perhaps @adubovikov or @hamidrhashmi can help with this

Answer 8 · 2023-07-26T07:44:23.000Z

@adubovikov Can you help please and check?

Answer 9 · 2023-12-27T14:12:53.000Z

@lmangani @adubovikov there is search replace for homer_user string in entrypoint.sh that's why @perrfect group name (hepic_users) being replaced with 'roots'

https://github.com/sipcapture/homer-app/blob/master/docker/docker-entrypoint.d/1#L16C6-L16C6