Run Bitwarden-selfhosted as non-root container on the read-only filesystem

[shaman007]

I am running a Bitwarden instance in Kubernetes and want to harden it, because to it contains vital secrets. However, if I try as a start to set:

    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000

I am getting several errors from the entrypoint.sh:

addgroup: Only root may add a user or group to the system.
adduser: Only root may add a user or group to the system.
cp: cannot create regular file '/app/Identity/identity.pfx': Permission denied
cp: cannot create regular file '/app/Sso/identity.pfx': Permission denied

and

sed: couldn't open temporary file /etc/supervisor.d/sedF4AEIa: Permission denied
sed: couldn't open temporary file /etc/supervisor.d/sedMdBMD6: Permission denied
sed: couldn't open temporary file /etc/supervisor.d/sedQ53QO5: Permission denied
sed: couldn't open temporary file /etc/supervisor.d/sedY6JVZS: Permission denied
sed: couldn't open temporary file /etc/supervisor.d/sedTZbdo9: Permission denied
sed: couldn't open temporary file /etc/supervisor.d/sedaiDeBm: Permission denied
sed: couldn't open temporary file /etc/supervisor.d/sedihWpDk: Permission denied
sed: couldn't open temporary file /etc/supervisor.d/sedBm0zaG: Permission denied
chown: changing ownership of '/app/Web/554.48a8997231bd1194fd5f.js': Operation not permitted
chown: changing ownership of '/app/Web/111.a0a028d157496bf5d1fb.js.map': Operation not permitted
chown: changing ownership of '/app/Web/314.5a6aa5e9fd3a1dbb36ce.js.map': Operation not permitted
chown: changing ownership of '/app/Web/encrypt-worker.c5aeb8504a3eb9845db2.js': Operation not permitted
chown: changing ownership of '/app/Web/scripts/qrious.min.js': Operation not permitted
[ ... and so on ... ]

This happens due to the entrypoint.sh:

• creates user and group
• creates certificates
• enable/disable services
• massively chowns directories

Useradd, groupadd could be easily moved in the Dockerfile, as well as the permissions/group ownership. Seems like "Enable/Disable services" also should be rather in the Dockerfile. /etc/bitwarden that is altered by the entrypoint.sh should be a persistent volume, since we want to keep instance identity on restarts, it's not a problem.

[shaman007]

I did a trivial PR for this issue.

[Neonwarden]

Hi there,

This issue has been escalated for further investigation. If you have more information that can help us, please add it below.

Thanks!

[yggdrasil-tynor]

Much needed feature to get this working on Azure AppService / Container Apps!

[sincerelysaucy]

/etc/supervisor.d is mostly where systemd stores content. Don't try to outsmart systemd: Rather than using "bitwarden.sh" directly, create a systemd for bitwarden and enable the designated service user to start or stop that, with the escalations built into systemd.