Skip to content

W^X violation for docker container filesystem #1280

New issue
New issue
Open
Open
W^X violation for docker container filesystem#1280
@PhysicsIsAwesome

Description

@PhysicsIsAwesome
PhysicsIsAwesome
opened on May 22, 2025

I try to run the Peergos docker container with least privileges in read-only mode. It only works, if I mount a writable tmpfs to /tmp and /run and allow writing to it, which is fine. But it also requires allowing execution from some files within these directories, which is a W^X violation and should be avoided. Usually it is best practice to ship all executables with the container image instead of generating/downloading/modifying them at runtime and allows W^X for the filesystem. This would significantly improve security.

Here is the compose.yaml file:

services:
  peergos:
    image: ghcr.io/peergos/web-ui
    depends_on:
      - db
    command: >
      daemon
      -listen-host 0.0.0.0
      -public-domain peergos.mydomain.com
      -log-to-console true
      -public-server true
      -use-postgres true
      -postgres.database postgres
      -postgres.host "172.20.10.3"
      -postgres.password ${POSTGRES_SU_PW}
      -postgres.username postgres
      -mirror.username myusername
      -login-keypair ${KEYPAIR}
      -mirror.bat ${MIRROR_BAT}
    environment:
      LOGIN_KEYPAIR: ${KEYPAIR}
    expose:
      - "8000"
    volumes:
      - ./data:/opt/peergos/data:Z
      - /etc/resolv.conf:/etc/resolv.conf:ro
    networks:
      rproxy-peergos:
        ipv4_address: "172.20.9.3"
      internal:
        ipv4_address: "172.20.10.2"
    deploy:
      resources:
        limits:
          cpus: '1.8'
          memory: 1.5G
    user: "1000:1000"
    cap_drop:
      - ALL
    read_only: true
    tmpfs:
      - /tmp:uid=1000,gid=1000,exec
      - /run:uid=1000,gid=1000,exec
    security_opt:
      - no-new-privileges

  db:
    image: postgres:alpine
    shm_size: 128mb
    volumes:
       - ./postgres/data:/var/lib/postgresql/data:Z
    environment:
      POSTGRES_PASSWORD: ${POSTGRES_SU_PW}
      PEERGOS_DB_USER_PW: ${PEERGOS_DB_USER_PW}
    healthcheck:
      test: ["CMD-SHELL", "sh -c 'pg_isready -U peergos -d peergos'"]
      interval: 10s
      timeout: 3s
      retries: 3
    networks:
      internal:
        ipv4_address: "172.20.10.3"
    user: 999:999 
    cap_drop:
      - ALL
    read_only: true
    tmpfs:
      - /tmp:noexec
      - /var/run:noexec
      - /var/run/postgresql:noexec
    security_opt:
      - no-new-privileges

networks:
  internal:
    driver: bridge
    ipam:
      config:
        - subnet: "172.20.10.0/24"
  rproxy-peergos:
    external: true

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions