JWT healthcheck does not recognise read-only mounts, nor dereferences symbolic links

[almereyda]

• Passbolt Version: 3.7.1-1-ce
• Platform and Target:
  • https://github.com/passbolt/passbolt_docker
  • https://github.com/mmz-srf/passbolt-helm

What you did

I was deploying the (community) Helm chart and found the Passbolt container to be too eager in checking JWT file permissions with is_writable.

What happened

When the JWT healthcheck runs, an error is thrown, despite the files have correct permissions:

JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [FAIL] The /etc/passbolt/jwt/ directory should not be writable.
 [HELP] You can try: 
 [HELP] sudo chown -Rf root:www-data /etc/passbolt/jwt/
 [HELP] sudo chmod 750 /etc/passbolt/jwt/
 [HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.key
 [HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.pem
 [FAIL] A valid JWT key pair is missing

This is due to symbolic links not being dereferenced, and the mount option not being taken into account:

This is the -L/--dereference flag of ls working:

$ k -n passbolt exec -it deployment.apps/passbolt-passbolt-helm -- ls -la /etc/passbolt/jwt       
total 4
drwxrwxrwt 3 root root      120 Aug  1 12:40 .
drwxrwx--- 6 root www-data 4096 Jul 28 14:56 ..
drwxr-xr-x 2 root root       80 Aug  1 12:40 ..2022_08_01_12_40_58.3176624772
lrwxrwxrwx 1 root root       32 Aug  1 12:40 ..data -> ..2022_08_01_12_40_58.3176624772
lrwxrwxrwx 1 root root       14 Aug  1 12:40 jwt.key -> ..data/jwt.key
lrwxrwxrwx 1 root root       14 Aug  1 12:40 jwt.pem -> ..data/jwt.pem

$ k -n passbolt exec -it deployment.apps/passbolt-passbolt-helm -- ls -laL /etc/passbolt/jwt
total 12
drwxrwxrwt 3 root root      120 Aug  1 12:40 .
drwxrwx--- 6 root www-data 4096 Jul 28 14:56 ..
drwxr-xr-x 2 root root       80 Aug  1 12:40 ..2022_08_01_12_40_58.3176624772
drwxr-xr-x 2 root root       80 Aug  1 12:40 ..data
-rw-r----- 1 root root     3243 Aug  1 12:40 jwt.key
-rw-r----- 1 root root      800 Aug  1 12:40 jwt.pem

Here is the actual mountpoint:

$ k -n passbolt exec -it deployment.apps/passbolt-passbolt-helm -- df -h /etc/passbolt/jwt  
Filesystem      Size  Used Avail Use% Mounted on
tmpfs           1.5G  8.0K  1.5G   1% /etc/passbolt/jwt

$ k -n passbolt exec -it deployment.apps/passbolt-passbolt-helm -- cat /proc/mounts | grep passbolt
tmpfs /etc/passbolt/gpg tmpfs ro,relatime,size=1518884k 0 0
tmpfs /etc/passbolt/jwt tmpfs ro,relatime,size=1518884k 0 0
/dev/vda1 /etc/php/7.4/fpm/conf.d/passbolt.ini ext4 ro,relatime 0 0
/dev/disk/by-id/scsi-0DO_Volume_pvc-cb26fed1-2145-434b-8f09-876d9ae0a9a7 /usr/share/php/passbolt/webroot/img/public ext4 rw,relatime 0 0

Reference:

• Secrets with specific permissions (defaultMode or mode) not being applied in Kubernetes 1.4.0 kubernetes/kubernetes#34982 (comment)

What you expected to happen

I'm expecting Passbolt to recognise the files as symlinks, and dereference them upon checking, plus evaluating all possible layers of "read-only-ness".

E.g. in https://bugs.php.net/bug.php?id=68926&edit=1 one suggestion is to try to actually write to a file, in order to determine if that would work.

[krptg0]

For reference, the issue is still present in the latest passbolt community helm chart and passbolt version 4.5.2-1-ce