Skip to content

>= 20.11 wrong owner of /etc/clickhouse-server/  #18927

Closed
Closed
>= 20.11 wrong owner of /etc/clickhouse-server/ #18927
Labels
buildcomp-build-systemBuild system (CMake, compilation, platform builds).docker
@filimonov

Description

@filimonov
filimonov
opened on Jan 11, 2021
mfilimonov@laptop-5591:~/workspace/altinity/docker$ docker run -it --rm yandex/clickhouse-server:20.10 bash 
root@bc569367e840:/# ls -la /etc/clickhouse-server/
total 60
drwxr-xr-x 1 root root  4096 Dec 24 00:23 .
drwxr-xr-x 1 root root  4096 Jan 11 11:57 ..
drwxr-xr-x 1 root root  4096 Dec 24 00:23 config.d
-rw-r--r-- 1 root root 35884 Dec 23 14:13 config.xml
lrwxrwxrwx 1 root root    41 Dec 24 00:23 preprocessed -> /var/lib/clickhouse//preprocessed_configs
drwxr-xr-x 2 root root  4096 Dec 24 00:23 users.d
-rw-r--r-- 1 root root  5587 Dec 23 14:13 users.xml
root@bc569367e840:/# exit
exit

mfilimonov@laptop-5591:~/workspace/altinity/docker$ docker run -it --rm yandex/clickhouse-server:20.11 bash 
root@a70e26b70ead:/# ls -la /etc/clickhouse-server/
total 64
drwx------ 1 clickhouse clickhouse  4096 Dec 23 22:25 .
drwxr-xr-x 1 root       root        4096 Jan 11 11:57 ..
dr-x------ 1 clickhouse clickhouse  4096 Dec 23 22:26 config.d
-r-------- 1 clickhouse clickhouse 38407 Dec 23 14:13 config.xml
dr-x------ 2 clickhouse clickhouse  4096 Dec 23 22:25 users.d
-r-------- 1 clickhouse clickhouse  5587 Dec 23 14:13 users.xml

That is not secure (clickhouse process can modify own config), and that prevents using clickhouse in non-root containers.

docker run --user 12345:12345 yandex/clickhouse-server:20.11
std::exception. Code: 1001, type: std::__1::__fs::filesystem::filesystem_error, e.what() = filesystem error: in posix_stat: failed to determine attributes for the specified path: Permission denied [/etc/clickhouse-server/config.xml] (version 20.11.6.6 (official build))
std::exception. Code: 1001, type: std::__1::__fs::filesystem::filesystem_error, e.what() = filesystem error: in posix_stat: failed to determine attributes for the specified path: Permission denied [/etc/clickhouse-server/config.xml] (version 20.11.6.6 (official build))
std::exception. Code: 1001, type: std::__1::__fs::filesystem::filesystem_error, e.what() = filesystem error: in posix_stat: failed to determine attributes for the specified path: Permission denied [/etc/clickhouse-server/config.xml] (version 20.11.6.6 (official build))
std::exception. Code: 1001, type: std::__1::__fs::filesystem::filesystem_error, e.what() = filesystem error: in posix_stat: failed to determine attributes for the specified path: Permission denied [/etc/clickhouse-server/config.xml] (version 20.11.6.6 (official build))
std::exception. Code: 1001, type: std::__1::__fs::filesystem::filesystem_error, e.what() = filesystem error: in posix_stat: failed to determine attributes for the specified path: Permission denied [/etc/clickhouse-server/config.xml] (version 20.11.6.6 (official build))
dirname: missing operand
Try 'dirname --help' for more information.
std::exception. Code: 1001, type: std::__1::__fs::filesystem::filesystem_error, e.what() = filesystem error: in posix_stat: failed to determine attributes for the specified path: Permission denied [/etc/clickhouse-server/config.xml] (version 20.11.6.6 (official build))
dirname: missing operand
Try 'dirname --help' for more information.
std::exception. Code: 1001, type: std::__1::__fs::filesystem::filesystem_error, e.what() = filesystem error: in posix_stat: failed to determine attributes for the specified path: Permission denied [/etc/clickhouse-server/config.xml] (version 20.11.6.6 (official build))
Processing configuration file '/etc/clickhouse-server/config.xml'.
std::exception. Code: 1001, type: std::__1::__fs::filesystem::filesystem_error, e.what() = filesystem error: in posix_stat: failed to determine attributes for the specified path: Permission denied [/etc/clickhouse-server/config.xml], Stack trace (when copying this message, always include the lines below):

0. std::__1::system_error::system_error(std::__1::error_code, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) @ 0x11bbdb23 in ?
1. ? @ 0x11b596b4 in ?
2. ? @ 0x11b59346 in ?
3. ? @ 0x11b641a5 in ?
4. DB::ConfigProcessor::processConfig(bool*, zkutil::ZooKeeperNodeCache*, std::__1::shared_ptr<Poco::Event> const&) @ 0xe537339 in /usr/bin/clickhouse
5. DB::ConfigProcessor::loadConfig(bool) @ 0xe53de74 in /usr/bin/clickhouse
6. BaseDaemon::reloadConfiguration() @ 0x7c6ec81 in /usr/bin/clickhouse
7. BaseDaemon::initialize(Poco::Util::Application&) @ 0x7c70ec5 in /usr/bin/clickhouse
8. DB::Server::initialize(Poco::Util::Application&) @ 0x7b44b30 in /usr/bin/clickhouse
9. Poco::Util::Application::run() @ 0x10a4aba6 in /usr/bin/clickhouse
10. DB::Server::run() @ 0x7b4498f in /usr/bin/clickhouse
11. mainEntryClickHouseServer(int, char**) @ 0x7b4430b in /usr/bin/clickhouse
12. main @ 0x7ae7cbd in /usr/bin/clickhouse
13. __libc_start_main @ 0x270b3 in /usr/lib/x86_64-linux-gnu/libc-2.31.so
14. _start @ 0x7a9802e in /usr/bin/clickhouse
 (version 20.11.6.6 (official build))

Metadata

Metadata

Assignees

No one assigned

    Labels

    buildcomp-build-systemBuild system (CMake, compilation, platform builds).docker

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions