starred/healthchecks
1
0
Fork 0
mirror of https://github.com/healthchecks/healthchecks.git synced 2026-04-26 07:25:51 +03:00
Code Issues 56 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #769] Possible permission error with opening /opt/healthchecks/docker/uwsgi.ini after building image and launching the container #538

New issue
Closed
opened 2026-02-25 23:42:48 +03:00 by kerem · 2 comments
kerem commented 2026-02-25 23:42:48 +03:00
Owner
Copy link

Originally created by @Klionheart on GitHub (Dec 26, 2022).
Original GitHub issue: https://github.com/healthchecks/healthchecks/issues/769

On some (particularly security-conscious?) machines, after the repository is cloned, files and directories in the local copy can end up with 700/600 permissions. In my case it was a Synology system with "0077" umask forcing the permissions to be like this:

ll healthchecks/
total 268
drwx------ 1 root root 264 Dec 26 11:51 .
drwx------ 1 root root 24 Dec 26 11:50 ..
-rw------- 1 root root 24634 Dec 26 11:51 CHANGELOG.md
-rw------- 1 root root 2462 Dec 26 11:51 CONTRIBUTING.md
drwx------ 1 root root 116 Dec 26 11:52 docker
drwx------ 1 root root 138 Dec 26 11:51 .git
drwx------ 1 root root 40 Dec 26 11:51 .github
-rw------- 1 root root 81 Dec 26 11:51 .gitignore
drwx------ 1 root root 190 Dec 26 11:51 hc
-rw------- 1 root root 1507 Dec 26 11:51 LICENSE
drwx------ 1 root root 16 Dec 26 11:51 locale
-rwx------ 1 root root 468 Dec 26 11:51 manage.py
-rw------- 1 root root 20283 Dec 26 11:51 README.md
-rw------- 1 root root 175 Dec 26 11:51 requirements.txt
-rw------- 1 root root 401408 Dec 26 11:51 search.db
drwx------ 1 root root 26 Dec 26 11:51 static
drwx------ 1 root root 82 Dec 26 11:51 stuff
drwx------ 1 root root 214 Dec 26 11:51 templates

As a consequence, when you build a docker image on such a system, the container directory "/opt/healthchecks/docker/" ends up with the same permissions, meaning it is not accessible by the "hs" user in the container.
So the startup command "uwsgi /opt/healthchecks/docker/uwsgi.ini" fails and the container never starts.

For a solution, the owner of the directory in the container can simply be changed to the "hs" user in the Dockerfile, for example:

RUN
rm -f /opt/healthchecks/hc/local_settings.py && \
DEBUG=False SECRET_KEY=build-key ./manage.py collectstatic --noinput && \
DEBUG=False SECRET_KEY=build-key ./manage.py compress && \
chown -R hc /opt/healthchecks

I tried the above while building my own image and it seems to be ok. The container works and the file system looks like this:

hc@b7f3a717696d:/opt/healthchecks$ ls -l
total 488
-rw------- 1 hc root 24634 Dec 26 10:51 CHANGELOG.md
-rw------- 1 hc root 2462 Dec 26 10:51 CONTRIBUTING.md
-rw------- 1 hc root 1507 Dec 26 10:51 LICENSE
-rw------- 1 hc root 20283 Dec 26 10:51 README.md
drwx------ 1 hc root 4096 Dec 26 10:52 docker
drwx------ 1 hc root 4096 Dec 26 10:52 hc
drwx------ 1 hc root 4096 Dec 26 10:51 locale
-rwx------ 1 hc root 468 Dec 26 10:51 manage.py
-rw------- 1 hc root 175 Dec 26 10:51 requirements.txt
-rw------- 1 hc root 401408 Dec 26 10:51 search.db
drwx------ 1 hc root 4096 Dec 26 10:51 static
drwxr-xr-x 8 hc root 4096 Dec 26 10:52 static-collected
drwx------ 1 hc root 4096 Dec 26 10:51 stuff
drwx------ 1 hc root 4096 Dec 26 10:51 templates

I don't believe there should be other issues with having "hc" own the healthchecks directory...in fact it does seems to make logical sense.
If you agree, the fix here should be fairly straightforward and might avoid some unexpected headaches in the future ;)

Originally created by @Klionheart on GitHub (Dec 26, 2022). Original GitHub issue: https://github.com/healthchecks/healthchecks/issues/769 On some (particularly security-conscious?) machines, after the repository is cloned, files and directories in the local copy can end up with 700/600 permissions. In my case it was a Synology system with "0077" umask forcing the permissions to be like this: > ll healthchecks/ total 268 drwx------ 1 root root 264 Dec 26 11:51 . drwx------ 1 root root 24 Dec 26 11:50 .. -rw------- 1 root root 24634 Dec 26 11:51 CHANGELOG.md -rw------- 1 root root 2462 Dec 26 11:51 CONTRIBUTING.md drwx------ 1 root root 116 Dec 26 11:52 docker drwx------ 1 root root 138 Dec 26 11:51 .git drwx------ 1 root root 40 Dec 26 11:51 .github -rw------- 1 root root 81 Dec 26 11:51 .gitignore drwx------ 1 root root 190 Dec 26 11:51 hc -rw------- 1 root root 1507 Dec 26 11:51 LICENSE drwx------ 1 root root 16 Dec 26 11:51 locale -rwx------ 1 root root 468 Dec 26 11:51 manage.py -rw------- 1 root root 20283 Dec 26 11:51 README.md -rw------- 1 root root 175 Dec 26 11:51 requirements.txt -rw------- 1 root root 401408 Dec 26 11:51 search.db drwx------ 1 root root 26 Dec 26 11:51 static drwx------ 1 root root 82 Dec 26 11:51 stuff drwx------ 1 root root 214 Dec 26 11:51 templates As a consequence, when you build a docker image on such a system, the container directory "/opt/healthchecks/docker/" ends up with the same permissions, meaning it is not accessible by the "hs" user in the container. So the startup command "uwsgi /opt/healthchecks/docker/uwsgi.ini" fails and the container never starts. For a solution, the owner of the directory in the container can simply be changed to the "hs" user in the Dockerfile, for example: > RUN \ rm -f /opt/healthchecks/hc/local_settings.py && \\ DEBUG=False SECRET_KEY=build-key ./manage.py collectstatic --noinput && \\ DEBUG=False SECRET_KEY=build-key ./manage.py compress && \\ chown -R hc /opt/healthchecks I tried the above while building my own image and it seems to be ok. The container works and the file system looks like this: > hc@b7f3a717696d:/opt/healthchecks$ ls -l total 488 -rw------- 1 hc root 24634 Dec 26 10:51 CHANGELOG.md -rw------- 1 hc root 2462 Dec 26 10:51 CONTRIBUTING.md -rw------- 1 hc root 1507 Dec 26 10:51 LICENSE -rw------- 1 hc root 20283 Dec 26 10:51 README.md drwx------ 1 hc root 4096 Dec 26 10:52 docker drwx------ 1 hc root 4096 Dec 26 10:52 hc drwx------ 1 hc root 4096 Dec 26 10:51 locale -rwx------ 1 hc root 468 Dec 26 10:51 manage.py -rw------- 1 hc root 175 Dec 26 10:51 requirements.txt -rw------- 1 hc root 401408 Dec 26 10:51 search.db drwx------ 1 hc root 4096 Dec 26 10:51 static drwxr-xr-x 8 hc root 4096 Dec 26 10:52 static-collected drwx------ 1 hc root 4096 Dec 26 10:51 stuff drwx------ 1 hc root 4096 Dec 26 10:51 templates I don't believe there should be other issues with having "hc" own the healthchecks directory...in fact it does seems to make logical sense. If you agree, the fix here should be fairly straightforward and might avoid some unexpected headaches in the future ;)
kerem closed this issue 2026-02-25 23:42:48 +03:00
kerem commented 2026-02-25 23:42:49 +03:00
Author
Owner
Copy link

@cuu508 commented on GitHub (Dec 26, 2022):

Thank you for the report.

A problem I see with the proposed solution is, the hc user would now have write access to the files. It should only have read access.

<!-- gh-comment-id:1365117502 --> @cuu508 commented on GitHub (Dec 26, 2022): Thank you for the report. A problem I see with the proposed solution is, the hc user would now have write access to the files. It should only have read access.
kerem commented 2026-02-25 23:42:49 +03:00
Author
Owner
Copy link

@cuu508 commented on GitHub (Jan 16, 2023):

  • Changing the owner (chown) would make files writable by the hc user, which is not good security-wise
  • Changing file permissions (chmod) would be problematic, as the hc user needs read permission only for some files, and read+execute permission for others
  • Perhaps a better way to fix this is to make sure git clone creates files with the correct permissions to start with. I've not tested this, but look into setting git's core.sharedRepository setting to all.
<!-- gh-comment-id:1383678210 --> @cuu508 commented on GitHub (Jan 16, 2023): * Changing the owner (`chown`) would make files writable by the hc user, which is not good security-wise * Changing file permissions (`chmod`) would be problematic, as the hc user needs read permission only for some files, and read+execute permission for others * Perhaps a better way to fix this is to make sure `git clone` creates files with the correct permissions to start with. I've not tested this, but look into setting git's [core.sharedRepository ](https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresharedRepository) setting to `all`.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
py2
v4.1.1
v4.1
v4.0
v3.13
v3.12
v3.11.2
v3.11.1
v3.11
v3.10
v3.9
v3.8.2
v3.8.1
v3.8
v3.7
v3.6
v3.5.2
v3.5.1
v3.5
v3.4
v3.3
v3.2
v3.1
v3.0.1
v3.0
v2.10
v2.9.2
v2.9.1
v2.9
v2.8.1
v2.8
v2.7
v2.6.1
v2.6
v2.5
v2.4.1
v2.4
v2.3
v2.2.1
v2.2
v2.1
v2.0.1
v2.0
v1.25.0
v1.24.1
v1.24.0
v1.23.1
v1.23.0
v1.22.0
v1.21.0
v1.20.0
v1.19.0
v1.18.0
v1.17.0
v1.16.0
v1.15.0
v1.14.0
v1.13.0
v1.12.0
v1.11.0
v1.10.0
v1.9.0
v1.8.0
v1.7.0
v1.6.0
v1.5.0
v1.4.0
v1.3.0
v1.2.0
v1.1.0
v1.0.4
v1.0.3
v1.0.2
1.0.2
v1.0.1
v1.0
Labels
Clear labels   
bug

   
bug

   
bug

   
feature

   
good-first-issue

   
new integration

   
pull-request

Mirrored from GitHub Pull Request

  
question
No labels
bug
bug
bug
feature
good-first-issue
new integration
pull-request
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/healthchecks#538
No description provided.