Comments (6)
Hi Raphaël,
no problem in principle, but don't you think the check should be removed
altogether ? It is not a very thorough one anyway, being just based on
the name (although it's harder to bypass than it looks because Odoo
shadows the PGUSER environment variable by refusing db_user not to be set).
My feeling is that one should not make assumptions on the user context.
Same goes for running as root (even though it's still a bad idea in a
Docker container, it might be acceptable in other cases, who am I to know).
Just being curious, this means you are installing inside a PG image and
not linking to it, right ?
On 10/12/2015 08:39 PM, Raphaël Valyi wrote:
Hello,
with the new Docker rage, it's now not always an issue to connect to
postgres with the postgres user. Official PG image provide a postgres
user and that's not a problem if the PG server is containerized.So I would like to optionally be able to skip the PG user check here:
https://github.com/anybox/anybox.recipe.odoo/blob/master/anybox/recipe/odoo/runtime/session.py#L165(same goes for odoo codebase but let's say it's easier to patch)
Would it be acceptable that if the SKIP_PG_USER environment variable
is set we skip this test? If yes I'll do a PR now...—
Reply to this email directly or view it on GitHub
#63.
Georges Racinet
Anybox SAS, http://anybox.fr
Téléphone: +33 6 51 32 07 27
GPG: 0x33AB0A35, sur serveurs publics
from anybox.recipe.odoo.
Hello @gracinet
so if you look the official postgres images they have postgres as their only default user:
https://github.com/docker-library/postgres/blob/master/docker-entrypoint.sh
Yes this is the admin user, but if you use it to try to attack the PG server you will only attack your own PG server container, so in this usage context this is acceptable I think.
It's the context where I do link to a postgres container, the default pg user is still called postgres here...
As for the Odoo unix user, I agree, root should never be allowed, not even inside Docker. I'm only talking about the PG user here.
You say "make no assumption about the user context". Well if the user could alter the process env var of Odoo, certainly he could attack many well known 12 factors apps as well. I don't see anything special in Odoo that would expose it more to such attack than other apps. If Odoo was 12 factors compliant, if the user could craft the env variables he could change the admin password and download any database. So I don't see it as a special risk.
IMHO these checks are more some basic hint for the noob developer trying to install Odoo without paying attention to basic security.
So what I propose is an opt-in to skip this check.
But do you prefer that opt-in to be passed via the config file? Is it possible to pass any arbitrary param? personally prefer the ENV var, but that's up to you.
Thoughts?
from anybox.recipe.odoo.
Hi Rapahël, don't worry, I'm approving what you suggest. I'm just
saying we could even go farther and remove these checks completetly, as
they make litlle sense to me. If people want to run Odoo as root, well
that's their right isn't it ?
« IMHO these checks are more some basic hint for the noob developer
trying to install Odoo without paying attention to basic security. » ->
I agree, although a newbie would really need already to make special
efforts to be in that situation.
Anyway, curious what the others would say, and I'm off for tonight
(almost 3AM here)
Cheers,
On 10/13/2015 02:42 AM, Raphaël Valyi wrote:
Hello @gracinet https://github.com/gracinet
so f you look the official postgres images they have postgres as their
only default user:
https://github.com/docker-library/postgres/blob/master/docker-entrypoint.shYes this is the admin user, but if you use it to try to attack the PG
server you will only attack your own PG server container, so in this
usage context this is acceptable I think.It's the context where I do link to a postgres container, the default
pg user is still called postgres here...As for the Odoo unix user, I agree, root should never be allowed, not
even inside Docker. I'm only talking about the PG user here.Yes but, in one of those hypervisors running only one process ?
You say "make no assumption about the user context". Well if the user
could alter the process env var of Odoo, certainly he could attack
many well known 12 factors apps as well. I don't see anything special
in Odoo that would expose it more to such attack than other apps. If
Odoo was 12 factors compliant, if the user could craft the env
variables he could change the admin password and download any
database. So I don't see it as a special risk.IMHO these checks are more some basic hint for the noob developer
trying to install Odoo without paying attention to basic security.So what I propose is an opt-in to skip this check.
But do you prefer that opt-in to be passed via the config file? Is it
possible to pass any arbitrary param?Yes it is
I personally prefer the ENV var, but that's up to you.
no wonder, in Docker context that's handy.
Thoughts?
—
Reply to this email directly or view it on GitHub
#63 (comment).
Georges Racinet
Anybox SAS, http://anybox.fr
Téléphone: +33 6 51 32 07 27
GPG: 0x33AB0A35, sur serveurs publics
from anybox.recipe.odoo.
Here it is: #64
Well, I think it's acceptable to keep the test by default and skip it only as an opt-in the developer should be aware about. It's not documented, but if the dev tries the postgres user, it will break at the check and he will find out the feature, so I propose no leaky abstraction here.
from anybox.recipe.odoo.
No objection... although I personally prefer deploying the good old way (deb+virtualenv) with SaltStack in an LXC container, so I'm not affected by this issue.
from anybox.recipe.odoo.
so I made the change I explained previously and documented.
from anybox.recipe.odoo.
Related Issues (20)
- anybox.recipe.odoo must ensure develop-eggs directory is well created before calling develop method
- pychart down HOT 2
- Couldn't find a distribution for 'pychart' HOT 9
- Error with Pillow dependency
- StefanRijnhart As Maintainer of anybox.recipe.odoo HOT 3
- ImportError: No module named openerp.tools.config
- UnboundLocalError: local variable 'exc' referenced before assignment HOT 2
- ModuleNotFoundError: No module named 'werkzeug.contrib' HOT 4
- ModuleNotFoundError: No module named 'zope.event' while running bin/start_odoo HOT 1
- python_odoo is failing with "DeprecationWarning: Since Odoo 15.0, Environment.manage() is useless." on Odoo 15.0 HOT 1
- Continued development has moved to https://github.com/OCA/oca.recipe.odoo
- Wheels mistaken for developed distributions
- Merge SHA issue with Git 1.7.10
- Git: do not refetch tags and refactor HOT 4
- [REF] openerp: move `openerp` to `odoo` HOT 5
- [BUG] empty log file HOT 3
- Can't merge remote branch at specific revision HOT 2
- One folder per Odoo version? HOT 1
- start_odoo: Port already in use HOT 1
- Odoo v10 --dev=all broken restart HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from anybox.recipe.odoo.