Skip to content

disable apache cgi-bin because dolibarr doesn't seem to use it #46

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
JonBendtsen wants to merge 2 commits into from
Closed

disable apache cgi-bin because dolibarr doesn't seem to use it #46

JonBendtsen wants to merge 2 commits into from

Conversation

@JonBendtsen
Copy link
Contributor

@JonBendtsen JonBendtsen commented Mar 19, 2025

disable apache cgi-bin because dolibarr doesn't seem to use it and then the container should not have it by default

@creekorful creekorful self-assigned this Mar 20, 2025
@creekorful
Copy link
Member

creekorful commented Mar 20, 2025

Hello @JonBendtsen,

I don't think we need this PR if we add a way to disable the modules here in this PR #47. That would be much more convenient.

@creekorful creekorful added the question Further information is requested label Mar 20, 2025
@JonBendtsen
Copy link
Contributor Author

JonBendtsen commented Mar 20, 2025

Hello @JonBendtsen,

I don't think we need this PR if we add a way to disable the modules here in this PR #47. That would be much more convenient.

No, because even if people can use PR #47 to disable this module - why would they have to do it? The dolibarr container should be a safe as possible, and it does not need the CGI-BIN inside apache. Leaving cgi-bin in would slightly increase the risk of someone potentially placing a file in there which then can be execute. It is safer that we simply disable the apache configuration that by far most dolibarr installations that uses the this dolibarr container will end up having. Safety first.

@creekorful
Copy link
Member

creekorful commented Mar 21, 2025

Hi @JonBendtsen,

The defaults of serve-cgi-bin.conf makes it so it is not easily possible to execute arbitrary cgi files because you'll need to place them into /usr/lib/cgi-bin directory (which is outside Dolibarr directory anyway so not easily accessible)

See config file for example:

<IfModule mod_alias.c>
	<IfModule mod_cgi.c>
		Define ENABLE_USR_LIB_CGI_BIN
	</IfModule>

	<IfModule mod_cgid.c>
		Define ENABLE_USR_LIB_CGI_BIN
	</IfModule>

	<IfDefine ENABLE_USR_LIB_CGI_BIN>
		ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
		<Directory "/usr/lib/cgi-bin">
			AllowOverride None
			Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
			Require all granted
		</Directory>
	</IfDefine>
</IfModule>

The problem here is not that we don't want to secure Apache installation but rather that we should do so while keeping the image minimal (feature wise) and less opinionated as possible.

Let me think about it.

@JonBendtsen
Copy link
Contributor Author

JonBendtsen commented Mar 21, 2025

Hi @JonBendtsen,

The defaults of serve-cgi-bin.conf makes it so it is not easily possible to execute arbitrary cgi files because you'll need to place them into /usr/lib/cgi-bin directory (which is outside Dolibarr directory anyway so not easily accessible)

True? but why keep it in if we don't need it for Dolibarr?

creekorful
creekorful requested changes Mar 22, 2025
View reviewed changes
Dockerfile.template
vim-tiny \
cron \
&& apt-get autoremove -y \
&& a2disconf serve-cgi-bin \
Copy link
Member

@creekorful creekorful Mar 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we move this to another RUN instruction just after this one and before the "Get Dolibarr" one?

Something like this:

# Disable useless Apache modules to provide safe defaults
RUN a2disconf serve-cgi-bin

@creekorful
Copy link
Member

creekorful commented Mar 22, 2025

Since there is a consensus for the base image to provide sane (and safe) defaults, let's move on with this PR.

On a side note I would be great to check the list of enabled apache modules and use this PR to disable all modules who does not need to be enabled.

If the user is willing to enable a module this could be done using the custom init scripts like @tuxgasy explained in another PR.

Cheers,

@creekorful creekorful added enhancement New feature or request and removed question Further information is requested labels Mar 22, 2025
@creekorful creekorful mentioned this pull request Mar 22, 2025
Closed
@JonBendtsen JonBendtsen mentioned this pull request Mar 22, 2025
Merged
@JonBendtsen
Copy link
Contributor Author

JonBendtsen commented Mar 22, 2025

replaced by #54

@creekorful creekorful closed this Mar 22, 2025
@creekorful
Copy link
Member

creekorful commented Mar 22, 2025

Closing as superseded by #54.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@creekorful creekorful creekorful requested changes

Assignees

@creekorful creekorful

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JonBendtsen @creekorful