Permission errors running dast tests on Linux/docker-machine
Summary
when i try to run bash_unit test/end-to-end/test-baseline.sh
on my local development machine, or anything that mounts a local directory inside the dast
container, i get a series of permission errors that prevent the tests from running.
this appears to be because the uid
of the current user (zap
) doesn't match the uid
of /zap/wrk/
.
Steps to reproduce
- setup
docker-machine
to usevirtual-box
- build
dast
docker image (e.g.docker build -t dast .
) - run test (e.g.
bash_unit test/end-to-end/test-baseline.sh
)
Relevant logs and/or screenshots
==> test/end-to-end/output/test_baseline_scan_using_t.log <==
truncate: cannot open 'zap.out' for writing: Permission denied
truncate: cannot open '/output/browserker.log' for writing: Permission denied
tail: cannot open 'zap.out' for reading: No such file or directory
tail: no files remaining
tail: cannot open '/output/browserker.log' for reading: No such file or directory
tail: no files remaining
2020-11-24 23:29:55,392 Running DAST v1.33.1 on Python 3.8.6 (default, Sep 25 2020, 09:36:53) [GCC 10.2.0]
2020-11-24 23:29:55,392 waiting for http://nginx to be available
2020-11-24 23:29:55,392 Requesting access to http://nginx...
2020-11-24 23:29:55,394 Starting new HTTP connection (1): nginx:80
2020-11-24 23:29:55,397 http://nginx:80 "GET / HTTP/1.1" 200 345
2020-11-24 23:29:55,397 writing zap log configuration
2020-11-24 23:29:55,398 Starting the ZAP Server
2020-11-24 23:29:55,398 Running ZAP with parameters ['/zap/zap.sh', '-daemon', '-config', 'proxy.reverseProxy.use=1', '-config', 'proxy.reverseProxy.ip=0.0.0.0', '-config', 'proxy.reverseProxy.httpPort=57262', '-dir', '/app/zap', '-config', 'api.disablekey=true', '-config', 'api.addrs.addr.name=.*', '-config', 'api.addrs.addr.regex=true', '-config', 'selenium.firefoxDriver=/usr/bin/geckodriver', '-config', 'spider.maxDuration=1', '-silent', '-config', 'globalalertfilter.filters.filter(0).ruleid=10096', '-config', 'globalalertfilter.filters.filter(0).url=.*', '-config', 'globalalertfilter.filters.filter(0).urlregex=true', '-config', 'globalalertfilter.filters.filter(0).newrisk=-1', '-config', 'globalalertfilter.filters.filter(0).enabled=true']
2020-11-24 23:29:55,399 Unhandled exception has been thrown, aborting.
Traceback (most recent call last):
File "/app/src/dast.py", line 23, in start
scan.run()
File "/app/src/scan_script_wrapper.py", line 43, in run
zap_daemon = self.zap_server.start()
File "/app/src/zap_gateway/zap_server.py", line 50, in start
daemon_process = self.system.run(parameters=parameters, output_file_name=ZAPServer.LOG_FILE)
File "/app/src/system.py", line 51, in run
with open(output_file_name, 'w') as out_file:
PermissionError: [Errno 13] Permission denied: 'zap.out'
Iteractive Session
Observations
- permissions for
/zap
and/zap/wrk
differ -
uid
for/zap/wrk
differs fromid -u
Container
% docker run -it --rm -v "${PWD}":/zap/wrk dast /bin/bash
zap@bcd522c1f2ba:/output$ ls -la /zap/wrk/
total 1632
drwxr-xr-x 1 browserker staff 1088 Nov 24 06:19 .
drwxrwxrwx 1 zap zap 4096 Nov 24 23:52 ..
-rw-r--r-- 1 browserker staff 206 Apr 22 2020 .editorconfig
-rw-r--r-- 1 browserker staff 97 Aug 18 03:57 .flake8
# snip...
zap@bcd522c1f2ba:/output$ touch /zap/wrk/hello-world.log
touch: cannot touch '/zap/wrk/hello-world.log': Permission denied
zap@bcd522c1f2ba:/output$ whoami
zap
zap@bcd522c1f2ba:~$ ls -la /
total 84
drwxr-xr-x 1 root root 4096 Nov 24 23:52 .
drwxr-xr-x 1 root root 4096 Nov 24 23:52 ..
drwxr-xr-x 1 zap zap 4096 Nov 24 06:15 app
drwxr-xr-x 1 browserker browserker 4096 Nov 23 00:11 browserker
drwxrwxrwx 1 zap zap 4096 Nov 24 06:15 output
drwxrwxrwx 1 zap zap 4096 Nov 24 23:52 zap
# snip...
zap@bcd522c1f2ba:~$ ls -lan /zap
total 5436
drwxrwxrwx 1 1001 1001 4096 Nov 24 23:52 .
drwxr-xr-x 1 0 0 4096 Nov 24 23:52 ..
-rw-r--r-- 1 1001 1001 2157 Feb 1 1980 README
drwxr-xr-x 2 1001 1001 4096 Feb 1 1980 db
drwxr-xr-x 2 1001 1001 4096 Feb 1 1980 lang
drwxr-xr-x 2 1001 1001 4096 Feb 1 1980 lib
drwxr-xr-x 2 1001 1001 4096 Feb 1 1980 license
drwxr-xr-x 2 1001 1001 4096 Nov 23 00:37 plugin
drwxr-xr-x 3 1001 1001 4096 Feb 1 1980 scripts
drwxr-xr-x 1 1000 50 1088 Nov 24 06:19 wrk
drwxr-xr-x 2 1001 1001 4096 Feb 1 1980 xml
-rw-r--r-- 1 1001 1001 5382810 Feb 1 1980 zap-D-2020-06-30.jar
-rw-r--r-- 1 1001 1001 206 Feb 1 1980 zap.bat
-rw-r--r-- 1 1001 1001 123778 Feb 1 1980 zap.ico
-rwxr-xr-x 1 1001 1001 4187 Feb 1 1980 zap.sh
zap@bcd522c1f2ba:/output$ id -u
1001
zap@bcd522c1f2ba:/output$ whoami
zap
Edited by Philip Cunningham