MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-05-21 09:33:50 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix: support dropping privileges with arbitrary users (#18386)

Browse Source 
fixes #18380
This commit is contained in:
Harshavardhana 2023-11-03 14:18:18 -07:00 committed by GitHub
parent da95a2d13f
commit 3c2e1a87e2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 22 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.github/workflows/mint/minio-compress-encrypt.yaml vendored
View File

@ -16,10 +16,10 @@ x-minio-common: &minio-common
MINIO_COMPRESSION_ALLOW_ENCRYPTION: "on" MINIO_COMPRESSION_ALLOW_ENCRYPTION: "on"
MINIO_KMS_SECRET_KEY: "my-minio-key:OSMM+vkKUTCvQs9YL/CVMIMt43HFhkUpqJxTmGl6rYw=" MINIO_KMS_SECRET_KEY: "my-minio-key:OSMM+vkKUTCvQs9YL/CVMIMt43HFhkUpqJxTmGl6rYw="
healthcheck: healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"] test: ["CMD", "mc", "ready", "local"]
interval: 30s interval: 5s
timeout: 20s timeout: 5s
retries: 3 retries: 5
# starts 4 docker containers running minio server instances. # starts 4 docker containers running minio server instances.
# using nginx reverse proxy, load balancing, you can access # using nginx reverse proxy, load balancing, you can access

8
.github/workflows/mint/minio-erasure.yaml vendored
View File

@ -13,10 +13,10 @@ x-minio-common: &minio-common
MINIO_ROOT_PASSWORD: "minio123" MINIO_ROOT_PASSWORD: "minio123"
MINIO_KMS_SECRET_KEY: "my-minio-key:OSMM+vkKUTCvQs9YL/CVMIMt43HFhkUpqJxTmGl6rYw=" MINIO_KMS_SECRET_KEY: "my-minio-key:OSMM+vkKUTCvQs9YL/CVMIMt43HFhkUpqJxTmGl6rYw="
healthcheck: healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"] test: ["CMD", "mc", "ready", "local"]
interval: 30s interval: 5s
timeout: 20s timeout: 5s
retries: 3 retries: 5
# starts 4 docker containers running minio server instances. # starts 4 docker containers running minio server instances.
# using nginx reverse proxy, load balancing, you can access # using nginx reverse proxy, load balancing, you can access

8
.github/workflows/mint/minio-pools.yaml vendored
View File

@ -13,10 +13,10 @@ x-minio-common: &minio-common
MINIO_ROOT_PASSWORD: "minio123" MINIO_ROOT_PASSWORD: "minio123"
MINIO_KMS_SECRET_KEY: "my-minio-key:OSMM+vkKUTCvQs9YL/CVMIMt43HFhkUpqJxTmGl6rYw=" MINIO_KMS_SECRET_KEY: "my-minio-key:OSMM+vkKUTCvQs9YL/CVMIMt43HFhkUpqJxTmGl6rYw="
healthcheck: healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"] test: ["CMD", "mc", "ready", "local"]
interval: 30s interval: 5s
timeout: 20s timeout: 5s
retries: 3 retries: 5
# starts 4 docker containers running minio server instances. # starts 4 docker containers running minio server instances.
# using nginx reverse proxy, load balancing, you can access # using nginx reverse proxy, load balancing, you can access

1
.gitignore vendored
View File

@ -42,3 +42,4 @@ docs/debugging/healing-bin/healing-bin
docs/debugging/inspect/inspect docs/debugging/inspect/inspect
docs/debugging/pprofgoparser/pprofgoparser docs/debugging/pprofgoparser/pprofgoparser
docs/debugging/reorder-disks/reorder-disks docs/debugging/reorder-disks/reorder-disks
docs/debugging/populate-hard-links/populate-hardlinks

5
buildscripts/upgrade-tests/compose.yml
View File

@ -9,11 +9,6 @@ x-minio-common: &minio-common
expose: expose:
- "9000" - "9000"
- "9001" - "9001"
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
interval: 30s
timeout: 20s
retries: 3
# starts 4 docker containers running minio server instances. # starts 4 docker containers running minio server instances.
# using nginx reverse proxy, load balancing, you can access # using nginx reverse proxy, load balancing, you can access

13
dockerscripts/docker-entrypoint.sh
View File

@ -8,22 +8,19 @@ if [ "${1}" != "minio" ]; then
fi fi
fi fi
# su-exec to requested user, if service cannot run exec will fail.
docker_switch_user() { docker_switch_user() {
if [ -n "${MINIO_USERNAME}" ] && [ -n "${MINIO_GROUPNAME}" ]; then if [ -n "${MINIO_USERNAME}" ] && [ -n "${MINIO_GROUPNAME}" ]; then
if [ -n "${MINIO_UID}" ] && [ -n "${MINIO_GID}" ]; then if [ -n "${MINIO_UID}" ] && [ -n "${MINIO_GID}" ]; then
groupadd -f -g "$MINIO_GID" "$MINIO_GROUPNAME" && chroot --userspec=${MINIO_UID}:${MINIO_GID} / "$@"
useradd -u "$MINIO_UID" -g "$MINIO_GROUPNAME" "$MINIO_USERNAME"
else else
groupadd -f "$MINIO_GROUPNAME" && echo "${MINIO_USERNAME}:x:1000:1000:${MINIO_USERNAME}:/:/sbin/nologin" >>/etc/passwd
useradd -g "$MINIO_GROUPNAME" "$MINIO_USERNAME" echo "${MINIO_GROUPNAME}:x:1000" >>/etc/group
chroot --userspec=${MINIO_USERNAME}:${MINIO_GROUPNAME} / "$@"
fi fi
exec setpriv --reuid="${MINIO_USERNAME}" \
--regid="${MINIO_GROUPNAME}" --keep-groups "$@"
else else
exec "$@" exec "$@"
fi fi
} }
## Switch to user if applicable. ## DEPRECATED and unsupported - switch to user if applicable.
docker_switch_user "$@" docker_switch_user "$@"

8
docs/orchestration/docker-compose/docker-compose.yaml
View File

@ -11,10 +11,10 @@ x-minio-common: &minio-common
# MINIO_ROOT_USER: minioadmin # MINIO_ROOT_USER: minioadmin
# MINIO_ROOT_PASSWORD: minioadmin # MINIO_ROOT_PASSWORD: minioadmin
healthcheck: healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"] test: ["CMD", "mc", "ready", "local"]
interval: 30s interval: 5s
timeout: 20s timeout: 5s
retries: 3 retries: 5
# starts 4 docker containers running minio server instances. # starts 4 docker containers running minio server instances.
# using nginx reverse proxy, load balancing, you can access # using nginx reverse proxy, load balancing, you can access