self-host icon indicating copy to clipboard operation
self-host copied to clipboard
verified publisher icon bitwarden

Run Bitwarden-selfhosted as non-root container on the read-only filesystem

Open shaman007 opened this issue 2 years ago • 4 comments

I am running a Bitwarden instance in Kubernetes and want to harden it, because to it contains vital secrets. However, if I try as a start to set:

    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000

I am getting several errors from the entrypoint.sh:

addgroup: Only root may add a user or group to the system.
adduser: Only root may add a user or group to the system.
cp: cannot create regular file '/app/Identity/identity.pfx': Permission denied
cp: cannot create regular file '/app/Sso/identity.pfx': Permission denied

and

sed: couldn't open temporary file /etc/supervisor.d/sedF4AEIa: Permission denied
sed: couldn't open temporary file /etc/supervisor.d/sedMdBMD6: Permission denied
sed: couldn't open temporary file /etc/supervisor.d/sedQ53QO5: Permission denied
sed: couldn't open temporary file /etc/supervisor.d/sedY6JVZS: Permission denied
sed: couldn't open temporary file /etc/supervisor.d/sedTZbdo9: Permission denied
sed: couldn't open temporary file /etc/supervisor.d/sedaiDeBm: Permission denied
sed: couldn't open temporary file /etc/supervisor.d/sedihWpDk: Permission denied
sed: couldn't open temporary file /etc/supervisor.d/sedBm0zaG: Permission denied
chown: changing ownership of '/app/Web/554.48a8997231bd1194fd5f.js': Operation not permitted
chown: changing ownership of '/app/Web/111.a0a028d157496bf5d1fb.js.map': Operation not permitted
chown: changing ownership of '/app/Web/314.5a6aa5e9fd3a1dbb36ce.js.map': Operation not permitted
chown: changing ownership of '/app/Web/encrypt-worker.c5aeb8504a3eb9845db2.js': Operation not permitted
chown: changing ownership of '/app/Web/scripts/qrious.min.js': Operation not permitted
[ ... and so on ... ]

This happens due to the entrypoint.sh:

  • creates user and group
  • creates certificates
  • enable/disable services
  • massively chowns directories

Useradd, groupadd could be easily moved in the Dockerfile, as well as the permissions/group ownership. Seems like "Enable/Disable services" also should be rather in the Dockerfile. /etc/bitwarden that is altered by the entrypoint.sh should be a persistent volume, since we want to keep instance identity on restarts, it's not a problem.

shaman007 avatar Apr 10 '24 16:04 shaman007

I did a trivial PR for this issue.

shaman007 avatar Apr 10 '24 16:04 shaman007

Hi there,

This issue has been escalated for further investigation. If you have more information that can help us, please add it below.

Thanks!

Neonwarden avatar Apr 10 '24 16:04 Neonwarden

Much needed feature to get this working on Azure AppService / Container Apps!

yggdrasil-tynor avatar Apr 12 '24 08:04 yggdrasil-tynor

/etc/supervisor.d is mostly where systemd stores content. Don't try to outsmart systemd: Rather than using "bitwarden.sh" directly, create a systemd for bitwarden and enable the designated service user to start or stop that, with the escalations built into systemd.

sincerelysaucy avatar Aug 16 '24 15:08 sincerelysaucy