Weeknote: 2024-W25

24 June 2024

Back on the development train after the last few weeks of disruption, last week was all about security. We had the results of the security audit, as I mentioned last time, and there were a bunch of issues to fix, which took up the early part of the week. Then on Thursday I pushed those changes out in release v0.69.0.

There were a lot of small changes made, but there were a couple of interesting big ones too.

Running as non-root

When I started this project, I didn’t think much about Docker itself and how it works - I just built the container and off we went. But, that wasn’t going to fly any more, as the largest security issue was that by default, Docker runs its containers as the same user as the Docker daemon itself, which is normally root.

Obviously that’s not good, but in Manyfold’s case it’s especially dodgy as the app plays around with local files, so being able to change basically anything is pretty dangerous. Also, any uploaded files would be owned by root as well, which is less than ideal.

So, we need to make it run as not-root. I wanted to follow the approach taken by the linuxserver images, because standards are good, and I think this is something Manyfold users might be somewhat used to. That involves setting PUID and PGID variables that specify the actual application user.

After exploring how linuxserver did their setup, I found they used s6-overlay, a container-oriented wrapper around s6, a process supervisor. Basically it allows you to easily run multiple processes per container, as well as handling things like setuid for running actual processes. After some awkward shenanigans getting s6-overlay into my container (which was resolved by discovering a proper Alpine package), I managed to rebuild how the container runs so that it initialises as root as usual, then when it’s time to run the actual application, it drops down to the less-privileged user.

There’s a lot I can do with this in future, not least of which is making an actual linuxserver single-container release, which has been on my list for a long time. It might also be able to replace foreman as the process manager for running background workers, etc.

Zip bombs

Another high-severity issue was around uploading files (which didn’t surprise me - it was contributed code and while it worked, I’d not put thought into making it safe). Archives can contain things like absolute paths, or dot paths, meaning that files could in theory overwrite things outside the folder where we’re trying to extract them; that’s bad, especially when running as root!

I found a load of options to libarchive to turn on safety features, which is great, though it is frustrating when for backwards compatibility libraries have to make those optional, and not on by default. Ah well, it is what it is. If you’re using libarchive for anything, I highly recommend setting this safe set of flags whenever you extract.

The other thing was large files, whether the archive itself, or inside the archive as a zip bomb. Fixing those involved adding some preset limits to uploaded and extracted file size, though those can be easily overridden using environment variables.

More security options

There are a lot more security options in the app now as well, but some needed to be done when the container is set up - I couldn’t specify them as part of the image. So, I wrote a new security guide which explains what the options are, and how to go about running a secure Manyfold service.

Have to say, it feels rather professional to have a website with a “security guide” on it. I might be an actual grownup.

Funding

At the end of the week, I was thinking about Manyfold’s funding, and realised I needed to put some effort into getting a sustainable income stream beyond the grant funding we’ve had so far (and which I’ve applied for more of, but it’s a way off).

To that end, I’ve created a donate page on the website which shows all our existing donors, and invites people to support Manyfold on OpenCollective. We’ve got a couple of individuals so far, but I want to get some corporate sponsors going to fund the bulk of the work. They won’t get any control, just a credit on OpenCollective, but I hope that some will go for it. I’ve reached out to some printer manufacturers who don’t own their own model hosting site, with the pitch that a decentralised independent model hosting system would be good for them. We’ll see how that goes. I hate marketing.

That said, if you do find Manyfold useful, especially if you’re using it for business purposes, please consider popping a monthly donation our way so that we can keep doing this full time! We’d really appreciate it!