windows icon indicating copy to clipboard operation
windows copied to clipboard
verified publisher icon dockur

[Bug]: the entire user home dir is exposed to the container

Open gitnohubz opened this issue 9 months ago • 5 comments

Operating system

Fedora

Description

Thats a high security risk , i didnt share my home dir , but its still exposed. We user need to expose just a certain dir that he choose not his entire home dir Iam using rootless podman

Docker compose

name: "winapps" volumes: data: services: windows: image: ghcr.io/dockur/windows:latest container_name: WinApps environment: VERSION: "tiny11" RAM_SIZE: "8G" CPU_CORES: "10" DISK_SIZE: "128G" USERNAME: "user" PASSWORD: "user" REGION: "en-US" LANGUAGE: "English" KEYBOARD: "es" ports: - 8006:8006 - 3389:3389/tcp - 3389:3389/udp cap_add: - NET_ADMIN stop_grace_period: 120s restart: on-failure volumes: - data:/storage - ${HOME}/guests:/shared - ./oem:/oem devices: - /dev/kvm - /dev/net/tun

Docker log

❯ Starting Windows for Docker v4.31... ❯ For support visit https://github.com/dockur/windows ❯ CPU: Intel Core i5 1235U | RAM: 29/32 GB | DISK: 354 GB (btrfs) | KERNEL: 6.13.9-200.fc41.x86_64...

❯ Warning: you are using the BTRFS filesystem for /storage, this might introduce issues with Windows Setup! mknod: /dev/net/tun: File exists ❯ Warning: podman detected, falling back to user-mode networking! ❯ Notice: port mapping will not work without "USER_PORTS" now. ls: cannot open directory '/shared': Permission denied chmod: changing permissions of '/shared': Permission denied samba.sh: line 50: /shared/readme.txt: Permission denied ❯ Booting Windows using QEMU v9.2.2... BdsDxe: loading Boot0004 "Windows Boot Manager" from HD(1,GPT,A6D3826C-FC20-4E0F-8AAE-9EA102E63CF7,0x800,0x40000)/\EFI\Microsoft\Boot\bootmgfw.efi BdsDxe: starting Boot0004 "Windows Boot Manager" from HD(1,GPT,A6D3826C-FC20-4E0F-8AAE-9EA102E63CF7,0x800,0x40000)/\EFI\Microsoft\Boot\bootmgfw.efi ❯ Windows started succesfully, visit http://127.0.0.1:8006/ to view the screen... BdsDxe: loading Boot0004 "Windows Boot Manager" from HD(1,GPT,A6D3826C-FC20-4E0F-8AAE-9EA102E63CF7,0x800,0x40000)/\EFI\Microsoft\Boot\bootmgfw.efi BdsDxe: starting Boot0004 "Windows Boot Manager" from HD(1,GPT,A6D3826C-FC20-4E0F-8AAE-9EA102E63CF7,0x800,0x40000)/\EFI\Microsoft\Boot\bootmgfw.efi qemu-system-x86_64: terminating on signal 15 ❯ Received SIGTERM, sending ACPI shutdown signal... ❯ Received SIGTERM while already shutting down... ❯ Shutdown completed!

Screenshots (optional)

No response

gitnohubz avatar Apr 09 '25 06:04 gitnohubz

You have these errors in your log:

ls: cannot open directory '/shared': Permission denied
chmod: changing permissions of '/shared': Permission denied
samba.sh: line 50: /shared/readme.txt: Permission denied

So there is a problem with your - ${HOME}/guests folder. Please create another one with more relaxed permissions.

kroese avatar Apr 09 '25 06:04 kroese

@kroese thats another issue , ignore that , my main problem is that my home dir is exposed to the container even thoud i didnt choose to

gitnohubz avatar Apr 09 '25 06:04 gitnohubz

I dont know what you mean exactly.. in what way exposed?

kroese avatar Apr 09 '25 06:04 kroese

Image

See this screenshot , my entire home dir is exposed to the container

gitnohubz avatar Apr 09 '25 06:04 gitnohubz

The computer \\tsclient is provided by your Remote Desktop client, not by this container. Its a setting in the client (that you can also disable I believe).

You can easily verify this by opening the web interface (NoVNC) on port 8006 and there will be no \\tsclient at all.

kroese avatar Apr 09 '25 07:04 kroese