From 49b00fc48a1a919a2749fcd3d6db730ec97951dc Mon Sep 17 00:00:00 2001 From: Michael Parker Date: Sat, 12 Aug 2023 17:26:23 -0400 Subject: [PATCH 1/5] resolve issues with missing user in containers This change resolves an issue in container where the user id is not found. This will create a passwd file with a single line that is for the container user using the uid and gid of the pterodactyl user. As an added security benefit this would also stop users being able to just use `/bin/bash` as it sets the users terminal to nologin by default and is configurable example passwd file contents `container:x:999:999::/home/container:/usr/sbin/nologin` --- config/config.go | 20 ++++++++++++++++++++ server/mounts.go | 6 ++++++ 2 files changed, 26 insertions(+) diff --git a/config/config.go b/config/config.go index 4c65bf7..afc1564 100644 --- a/config/config.go +++ b/config/config.go @@ -168,6 +168,8 @@ type SystemConfiguration struct { Uid int `yaml:"uid"` Gid int `yaml:"gid"` + + Login bool `yaml:"login"` } `yaml:"user"` // The amount of time in seconds that can elapse before a server's disk space calculation is @@ -526,6 +528,24 @@ func ConfigureDirectories() error { return err } + log.WithField("filepath", "/etc/pterodactyl//passwd").Debug("ensuring passwd file exists") + if passwd, err := os.Create("/etc/pterodactyl/passwd"); err != nil { + return err + } else { + shell := "/usr/sbin/nologin" + if _config.System.User.Login { + shell = "/bin/sh" + } + + // the WriteFile method returns an error if unsuccessful + err := os.WriteFile(passwd.Name(), []byte(fmt.Sprintf("container:x:%d:%d::/home/container:%s", _config.System.User.Uid, _config.System.User.Gid, shell)), 0777) + // handle this error + if err != nil { + // print it out + fmt.Println(err) + } + } + // There are a non-trivial number of users out there whose data directories are actually a // symlink to another location on the disk. If we do not resolve that final destination at this // point things will appear to work, but endless errors will be encountered when we try to diff --git a/server/mounts.go b/server/mounts.go index 97c8094..077a9bb 100644 --- a/server/mounts.go +++ b/server/mounts.go @@ -27,6 +27,12 @@ func (s *Server) Mounts() []environment.Mount { Source: s.Filesystem().Path(), ReadOnly: false, }, + { + Default: true, + Target: "/etc/passwd", + Source: "/etc/pterodactyl/passwd", + ReadOnly: true, + }, } // Also include any of this server's custom mounts when returning them. From cc0dca4c84b6bb616ea96b188227eb814f335985 Mon Sep 17 00:00:00 2001 From: "Michael (Parker) Parker" Date: Thu, 21 Sep 2023 08:34:46 -0400 Subject: [PATCH 2/5] Update config/config.go Co-authored-by: heckler <30584261+hackles@users.noreply.github.com> --- config/config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/config.go b/config/config.go index afc1564..a3df219 100644 --- a/config/config.go +++ b/config/config.go @@ -528,7 +528,7 @@ func ConfigureDirectories() error { return err } - log.WithField("filepath", "/etc/pterodactyl//passwd").Debug("ensuring passwd file exists") + log.WithField("filepath", "/etc/pterodactyl/passwd").Debug("ensuring passwd file exists") if passwd, err := os.Create("/etc/pterodactyl/passwd"); err != nil { return err } else { From 752b779d1f8e2c768144a94f5bb1506ebf7f95c7 Mon Sep 17 00:00:00 2001 From: "Michael (Parker) Parker" Date: Mon, 18 Dec 2023 14:25:48 -0500 Subject: [PATCH 3/5] update to make passwd file toggle-able --- config/config.go | 11 ++++------- server/mounts.go | 10 ++++++++-- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/config/config.go b/config/config.go index a3df219..2493c7b 100644 --- a/config/config.go +++ b/config/config.go @@ -169,7 +169,9 @@ type SystemConfiguration struct { Uid int `yaml:"uid"` Gid int `yaml:"gid"` - Login bool `yaml:"login"` + // Passwd controls weather a passwd file is mounted in the container + // at /etc/passwd to resolve missing user issues + Passwd bool `json:"mount_passwd" yaml:"mount_passwd" default:"true"` } `yaml:"user"` // The amount of time in seconds that can elapse before a server's disk space calculation is @@ -532,13 +534,8 @@ func ConfigureDirectories() error { if passwd, err := os.Create("/etc/pterodactyl/passwd"); err != nil { return err } else { - shell := "/usr/sbin/nologin" - if _config.System.User.Login { - shell = "/bin/sh" - } - // the WriteFile method returns an error if unsuccessful - err := os.WriteFile(passwd.Name(), []byte(fmt.Sprintf("container:x:%d:%d::/home/container:%s", _config.System.User.Uid, _config.System.User.Gid, shell)), 0777) + err := os.WriteFile(passwd.Name(), []byte(fmt.Sprintf("container:x:%d:%d::/home/container:/usr/sbin/nologin", _config.System.User.Uid, _config.System.User.Gid)), 0755) // handle this error if err != nil { // print it out diff --git a/server/mounts.go b/server/mounts.go index 077a9bb..1b750e7 100644 --- a/server/mounts.go +++ b/server/mounts.go @@ -27,12 +27,18 @@ func (s *Server) Mounts() []environment.Mount { Source: s.Filesystem().Path(), ReadOnly: false, }, - { + } + + // Mount passwd file if set to true + if config.Get().System.User.Passwd { + passwdMount := environment.Mount{ Default: true, Target: "/etc/passwd", Source: "/etc/pterodactyl/passwd", ReadOnly: true, - }, + } + + m = append(m, passwdMount) } // Also include any of this server's custom mounts when returning them. From 178fc543320903329f523d1adf120f47262d7761 Mon Sep 17 00:00:00 2001 From: "Michael (Parker) Parker" Date: Mon, 18 Dec 2023 14:28:08 -0500 Subject: [PATCH 4/5] update to make passwd file non-executable --- config/config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/config.go b/config/config.go index 2493c7b..317c057 100644 --- a/config/config.go +++ b/config/config.go @@ -535,7 +535,7 @@ func ConfigureDirectories() error { return err } else { // the WriteFile method returns an error if unsuccessful - err := os.WriteFile(passwd.Name(), []byte(fmt.Sprintf("container:x:%d:%d::/home/container:/usr/sbin/nologin", _config.System.User.Uid, _config.System.User.Gid)), 0755) + err := os.WriteFile(passwd.Name(), []byte(fmt.Sprintf("container:x:%d:%d::/home/container:/usr/sbin/nologin", _config.System.User.Uid, _config.System.User.Gid)), 0644) // handle this error if err != nil { // print it out From e5c8f5018434d88c979d2cf9c4df656b11b993a8 Mon Sep 17 00:00:00 2001 From: "Michael (Parker) Parker" Date: Mon, 18 Dec 2023 14:32:40 -0500 Subject: [PATCH 5/5] update to make passwd file path configurable --- config/config.go | 7 ++++--- server/mounts.go | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/config/config.go b/config/config.go index 317c057..7f2a5a1 100644 --- a/config/config.go +++ b/config/config.go @@ -171,7 +171,8 @@ type SystemConfiguration struct { // Passwd controls weather a passwd file is mounted in the container // at /etc/passwd to resolve missing user issues - Passwd bool `json:"mount_passwd" yaml:"mount_passwd" default:"true"` + Passwd bool `json:"mount_passwd" yaml:"mount_passwd" default:"true"` + PasswdFile string `json:"passwd_file" yaml:"passwd_file" default:"/etc/pterodactyl/passwd"` } `yaml:"user"` // The amount of time in seconds that can elapse before a server's disk space calculation is @@ -530,8 +531,8 @@ func ConfigureDirectories() error { return err } - log.WithField("filepath", "/etc/pterodactyl/passwd").Debug("ensuring passwd file exists") - if passwd, err := os.Create("/etc/pterodactyl/passwd"); err != nil { + log.WithField("filepath", _config.System.User.PasswdFile).Debug("ensuring passwd file exists") + if passwd, err := os.Create(_config.System.User.PasswdFile); err != nil { return err } else { // the WriteFile method returns an error if unsuccessful diff --git a/server/mounts.go b/server/mounts.go index 1b750e7..9d2d126 100644 --- a/server/mounts.go +++ b/server/mounts.go @@ -34,7 +34,7 @@ func (s *Server) Mounts() []environment.Mount { passwdMount := environment.Mount{ Default: true, Target: "/etc/passwd", - Source: "/etc/pterodactyl/passwd", + Source: config.Get().System.User.PasswdFile, ReadOnly: true, }