On Mon, Feb 14, 2022 at 6:37 PM Erik Sjölund <erik.sjolund@gmail.com> wrote:
Hi Daniel, Thanks for the feedback.
On Thu, Feb 10, 2022 at 4:40 AM Daniel Black <daniel@mariadb.org> wrote:
There's some really powerful concepts with unix_socket auth across into the container if you get the uid mapping, try to map the local %u (uid - %U) to the mysql(999) user (or another user and start the container with --user). You'll probably need to add a user to the container. With that you'll have a unix socket auth based mechanism in the container directly. Also the current container entrypoint avoids creating unix socket auth users (until very recently in a limited way https://github.com/MariaDB/mariadb-docker/pull/409). Maybe its too fiddly however to get right.
Nice!
I've recently submitted a PR https://github.com/containers/podman/pull/13084/files to the Podman project that adds two troubleshooting tips regarding UID/GID mapping. They describe how to run the container with a non-root user inside the container but mapped to the regular UID/GID on the host.
Nice read. Thanks. The implied user but defaulting to root nature of the mariadb container with gosu took a bit to get used to. Some sane mapping rules help thanks.
As the PR has not yet been approved,
now approved I see.
I had an idea regarding "unix_socket authentication": Permissions could be granted to specific Unix sockets by using FileDescriptorName
interesting. The "extra" is used as a FDName for extra sockets but its a generally unexplored space.
If the permissions are given to a specific Unix socket, a sysadmin could create multiple Unix sockets with different levels of permissions. There would be no need to rely on
"calling the getsockopt system call with the SO_PEERCRED socket option, which allows it to retrieve the uid of the process that is connected to the socket." quote from https://mariadb.com/kb/en/authentication-plugin-unix-socket/#is-it-secure
If you've got a good general use case, write a https://jira.mariadb.org task.
A sysadmin could instead protect the Unix socket from unauthorized access by using normal file and directory permissions.
MySQL's implementation also extends by using the "AS ..." syntax to extend coverage to one other user. https://dev.mysql.com/doc/refman/8.0/en/socket-pluggable-authentication.html...
If conmon acts a true passthough maybe the same option is needed. I guess try with some invalid configuration.
seems there are some conman aspects I need to understand more.