macdjord
macdjord

Reputation: 555

Persist users added within a Docker container

I have a Docker container running SSHD which accepts connections from multiple devices. Each connection is supposed to use port forwarding to connect a socket file on the container to a TCP port on the device. Every connecting device has a unique ID and is supposed to use that ID in the name of its socket file so they can be identified.

Iteration 1

Initially, I simply created a single non-root user in the SSHD container and allowed all the devices to log in as that user.

However, I discovered a problem with this setup: there was no way to limit what socket files could be opened based on which device was connecting, meaning a compromised or simply misconfigured device could potentially forward a socket with another device's ID in the name, causing all manor of havoc.

Iteration 2

My solution to this was to instead create a different user account for each device, with the username being the device ID, and only permit that device to log in to that account. Then each user could be given a separate directory in which to create its socket files, and ordinary unix file permissions could be used to prevent any device's account from interfering with another device's socket.

The problem with this was that I could no longer do all my user management during the image build step; I now needed to create new user accounts inside the container every time a new device was registered. This worked, but if the SSHD container ever had to be recreated, all the user accounts created within it would cease to exist.

Iteration 3

To fix this, the next thing I tried was this:

On testing, however, I found that the standard user management tools, such as adduser and usermod, cannot handle those files being moved like that. (I suspect the problem is that those tools, rather than opening the files and editing them in place (which the symlinks would redirect just fine) are trying to write the files under other names and then move them into the expected place.)

Where to go from here

I have a few ideas which I think might work, but they're all unpalatable for one reason or another:

Does anyone have any suggestions?

Upvotes: 0

Views: 74

Answers (0)

Related Questions