Basic permissions broken for docker use about zaproxy HOT 9 CLOSED

I’m sorry that you have become frustrated using Docker. We get frustrated by it too sometimes, but its a 3rd party product that our users expect us to support.

Not all of us are experts in docker or have unlimited time & inclination to debug every possible problem, when running a simple test.

We are not Docker experts either.
We released the Docker images back in 2015 (I think) based on a contributor PR.
Quite a few issues have been reported on them and the majority have been fixed: https://github.com/zaproxy/zaproxy/issues?q=label%3ADocker+is%3Aclosed
Despite these issues the ZAP docker images are heavily used.

I don't want to use this crappy ZAP, but unfortunately I have to, because of 3rd party requirements.

We are a small underfunded team who maintain the world’s most popular web scanner.
We do not currently get any funding from Google.

Thank you for your solution, we will have a look at it and see if any parts of it can be used to make our Docker images more useful.

from zaproxy.

Please don't ask questions as issues - the ZAP User Group is a much better place for usage questions.

from zaproxy.

We look forward to you solution.

from zaproxy.

My title writes reads "ZAP has been dumped & forced on me" not "IT Sec guy, https://github.com/zaproxy co-lead, https://github.com/OWASP WSTG co-lead, https://github.com/OWASP VWAD co-lead, Hac≺3r, supporter of oxford commas, #INTJ."

from zaproxy.

Great, closing legitimate BUG. Awesome.

from zaproxy.

What's the bug? All I see are complaints and a vague description that you can't get something working. That's what the User Group is for.

Edit: You didn't even manage to provide the details quite plainly and clearly requested in the issue template.

from zaproxy.

Solution, which worked for me

1. The problem is, mounted directory $(pwd) inside docker container has user id and group id from host, and it does not match hardcoded 1000:1000 inside the container

2. More information about this docker problem can be found here: https://stackoverflow.com/questions/39397548/how-to-give-non-root-user-in-docker-container-access-to-a-volume-mounted-on-the

3. To see the problem:

   a) Run docker image, without executing command for ZAP
   docker run -p 8080:8080 -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable

   b) Check id of running container
   docker ps -a

   c) Go into container & list files/dirs
   docker exec -it CONTAINER_ID /bin/bash

   zap@container:/zap$ ls -l

   ---

   drwxr-xr-x 1 zap zap 4096 Dec 19 00:54 webswing
   drwxrws--- 7 root www-data 4096 Dec 19 00:57 wrk
   drwxr-xr-x 2 zap zap 4096 Jan 2 1970 xml

   ---

4. There are probably a few fixes possibile for this, but I chose to match user id & group id on host to the hardcoded 1000:1000

5. All below should be done on host. Check if you have a user/group which already uses number 1000
   cat /etc/passwd | grep :1000
   If there is already a user with this id, change ids to different using https://www.cyberciti.biz/faq/linux-change-user-group-uid-gid-for-all-owned-files/

6. On host, create a zap user
   useradd -u 1000 -m -s /bin/bash zap

7. On host, in my case I had all files (context/config) in directory /var/zap_docker/, so:
   chown 1000:1000 /var/zap_docker/ -R

8. Now go to directory & run docker
   cd /var/zap_docker
docker run -p 8080:8080 -v $(pwd):/zap/wrk/:rw -u 1000:1000 -t owasp/zap2docker-stable zap-full-scan.py -t https://example.com -P 8080 -c zap-casa-config.conf -x results-full.xml -n app.context

9. Works!

from zaproxy.

@psiinon , thank your for that comment!
Unfortunately I can't agree with your statemet regarding Docker support, especially considering the statement on your website (https://www.zaproxy.org/getting-started/):
"ZAP is an ideal tool to use in automation and supports a range of options," including Docker Packaged Scans.
It appears there might be inconsistency or oversight on this page. Additionally, you have a dedicated section for Docker documentation at https://www.zaproxy.org/docs/docker/.

My frustration stems from several issues:

1. Contrary to the core security principle of Least Privilege, the suggested solution for permission issues in many GitHub threads is simply "run as root."
2. The use of the same error message (ApiException.Type.BAD_EXTERNAL_DATA) for different scenarios is confusing. For instance:
   A)

try {
    scanPolicy = new ScanPolicy(new ZapXmlConfiguration(file));
} catch (IllegalArgumentException | ConfigurationException e) {
    throw new ApiException(ApiException.Type.BAD_EXTERNAL_DATA, file.toString(), e);
}

B)

try {
    context = Model.getSingleton().getSession().importContext(f);
} catch (IllegalContextNameException e) {
    throw new ApiException(ApiException.Type.BAD_EXTERNAL_DATA, e);
}

3. The use of the -n flag for zap-full-scan to load a context file doesn't update the context config if the name remains unchanged, with no clear message or information in --help.

4. There are precisely 81 issues marked with "questions as issues" on GitHub, where most are related to bugs or problems rather than genuine questions (https://github.com/search?q=repo%3Azaproxy%2Fzaproxy+%22questions+as+issues%22&type=issues).

5. Numerous closed issues lack assistance, contain additional unanswered community questions, or provide advice like creating "/zap/wrk/test.txt" without clear resolution.

6. Many IT professionals assert that if a program cannot run successfully in basic mode quickly, it is not worth the time and trouble. This sentiment applies to running ZAP in Docker and ZAP Desktop.

7. Despite the implementation of numerous edge case functionalities, fundamental features seem neglected, giving the impression that developers prioritize novelty over addressing essential issues.

8. Most online video tutorials focus on simple localhost websites, lacking real-life examples for actual web applications.

9. The ZAP Desktop's user experience and logic are described as a horror, warranting a complete rewrite.

10. Difficulty finding logging features in the Desktop UI hinders users from monitoring program activities and correcting configurations.

11. It's unclear which specific ZAP component is responsible, but there appears to be a lack of parameter checks for Docker-run instances, leading to raw errors without informative feedback.

12. The tutorial includes an impractical feature requiring users to find coded numbers, some of which may not work. Fortunately, an option to skip this was eventually discovered.

Regarding funding, while acknowledging the lack of financial support for open-source security tools, it might be worth reconsidering the possibility of offering paid plans, solutions, or services if the open-source version proves successful. The impressive statistic of 78,402,829 active scans in November shows, that at least some % of user base would be interested in helping out the project.

from zaproxy.

These are exactly the sort of things we want to discuss in the ZAP User Group, NOT in a closed issue.

from zaproxy.