webdevops/php-nginx-dev:8.2: gosu appears to be installed with 'setuid' bit set

Question

webdevops/php-nginx-dev:8.2: gosu appears to be installed with 'setuid' bit set

zoltanka opened this issue 2 years ago · 12 comments

Since the last release I'm getting this error:

webdevops/php-nginx-dev:8.2
sha256:c84f420a8466e58761bd9b9b924d5b0de0c140964f5ca3e3867d82ceb271bd21

Attaching to amd-app-1, amd-mysql-1, amd-redis-1
amd-mysql-1  | 2023-03-31 11:27:34+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 5.7.41-1.el7 started.
amd-redis-1  | 1:C 31 Mar 2023 11:27:34.659 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
amd-redis-1  | 1:C 31 Mar 2023 11:27:34.659 # Redis version=5.0.6, bits=64, commit=00000000, modified=0, pid=1, just started
amd-redis-1  | 1:C 31 Mar 2023 11:27:34.659 # Warning: no config file specified, using the default config. In order to specify a config file use redis-server /path/to/redis.conf
amd-redis-1  | 1:M 31 Mar 2023 11:27:34.666 * Running mode=standalone, port=6379.
amd-redis-1  | 1:M 31 Mar 2023 11:27:34.666 # Server initialized
amd-redis-1  | 1:M 31 Mar 2023 11:27:34.666 # WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.
amd-redis-1  | 1:M 31 Mar 2023 11:27:34.667 * DB loaded from disk: 0.001 seconds
amd-redis-1  | 1:M 31 Mar 2023 11:27:34.667 * Ready to accept connections
amd-mysql-1  | 2023-03-31 11:27:34+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'
amd-mysql-1  | 2023-03-31 11:27:34+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 5.7.41-1.el7 started.
amd-app-1    | error: "gosu" appears to be installed with the 'setuid' bit set, which is an *extremely* insecure and completely unsupported configuration! (what you want instead is likely 'sudo' or 'su')
amd-mysql-1  | '/var/lib/mysql/mysql.sock' -> '/var/run/mysqld/mysqld.sock'
amd-app-1 exited with code 1

Besides this, the build process and everthing works as before. No errors or whatsoever.

Edit

Maybe it's important, it happens on my local both mac and ubuntu and on github actions.

Answer 1 · 2023-03-31T12:07:29.000Z

I only updated gosu from 1.10 to 1.16. I'll take a look

Answer 2 · 2023-03-31T12:40:00.000Z

I have the same problem on php-nginx images, preventing me from deploying.

error: "gosu" appears to be installed with the 'setuid' bit set, which is an *extremely* insecure and completely unsupported configuration! (what you want instead is likely 'sudo' or 'su')

Answer 3 · 2023-03-31T15:20:29.000Z

+1 with webdevops/php-nginx:8.0

Answer 4 · 2023-03-31T15:35:39.000Z

+1 webdevops/php-nginx:8.1

Answer 5 · 2023-03-31T15:38:23.000Z

+1 webdevops/php-nginx:7.4-alpine

Answer 6 · 2023-03-31T16:06:54.000Z

+1 webdevops/php-nginx:8.2-alpine

Answer 7 · 2023-03-31T16:07:43.000Z

+1 webdevops/php-apache:8.0

Answer 8 · 2023-03-31T16:13:07.000Z

In my project the error is thrown if I try to run the container using the user application instead of root. Using root user there's not problema at all.

Answer 9 · 2023-03-31T18:43:07.000Z

I've used php-nginx in Kubernetes with a non-root user for almost a year now, I really hope a root user is not suddenly necessary.

Answer 10 · 2023-03-31T19:41:28.000Z

I'm very sorry I didn't think that a minor update could contain a major breaking change. 1.10 -> 1.16 gosh
I'll take care tomorrow

Answer 11 · 2023-03-31T21:08:39.000Z

Would this gosu update affect other images as well? I'm having the same error using php-apache-dev:8.1-alpine and php-apache-dev:8.1

Answer 12 · 2023-04-02T17:05:48.000Z

I've rolled back gosu to 1.10 until I'll have time to investigate that setuid issue.
This affected all images.