Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lsetxattr: permission denied with podman #1385

Open
TribuneX opened this issue Apr 2, 2024 · 5 comments
Open

lsetxattr: permission denied with podman #1385

TribuneX opened this issue Apr 2, 2024 · 5 comments
Labels
bug Something isn't working

Comments

@TribuneX
Copy link

TribuneX commented Apr 2, 2024
edited
Loading

Describe the bug
I try to use gitleaks-docker together with podman instead of docker.

To Reproduce
Steps to reproduce the behavior:

Use podman with a docker alias:

ln -s podman docker

run pre-commit hook:

❯ pre-commit run --all-files
Detect hardcoded secrets.................................................Failed
- hook id: gitleaks-docker
- exit code: 126

Error: preparing container 0ebc9b7e8cd291a879699c1715ac185d983b9e40e476b060f51b80feefb98c7c for attach: lsetxattr /Users/xxx/src/org/gitleaks/.git/objects/f3/097ab13082b70f67202aab7dd9d1b35b7ceac2: permission denied

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Basic Info (please complete the following information):

  • OS: macOS 14.4
  • Gitleaks Version: latest docker container

Additional context
Add any other context about the problem here.

cc @zricethezav
@TribuneX TribuneX added the bug Something isn't working label Apr 2, 2024
@dickc-sg
Copy link

dickc-sg commented Apr 11, 2024
edited
Loading

I receive the same error with trivyfs-docker using podman and so I do not believe this is gitleaks-specific.

Steps to reproduce:

$ brew install podman podman-desktop
$ sudo ln -s /opt/homebrew/bin/podman /usr/local/bin/docker
$ pre-commit run -a

Output:

$ pre-commit run -a
Terraform fmt............................................................Passed
Terraform validate.......................................................Passed
Terraform docs...........................................................Passed
Terraform docs...........................................................Passed
Terraform validate with tflint...........................................Passed
trivyfs-docker...........................................................Failed
- hook id: trivyfs-docker
- exit code: 126

Resolving "aquasec/trivy" using unqualified-search registries (/etc/containers/registries.conf.d/999-podman-machine.conf)
Trying to pull docker.io/aquasec/trivy:0.49.1...
Getting image source signatures
Copying blob sha256:98d61a99dbd7e853a40ec0c8f5063ed8d28cfce17ad132ea22f03a0f4f407f48
Copying blob sha256:67b5a74b6f9ebdf4d0394b6c6af6fbd6b37a055c5b6b400fc7d3719d571238e7
Copying blob sha256:bca4290a96390d7a6fc6f2f9929370d06f8dfcacba591c76e3d5c5044e7f420c
Copying blob sha256:7f344fb18575d2d29c36332a7b69a5afecbc9a935f3717edbf096e5c1d52a251
Copying config sha256:e5b7465539b3f2e0fba82eac8536d298f20e66f959e2c2a518d627bc9ba13d6a
Writing manifest to image destination
Error: preparing container d20556de0895883ad945dda386dedc8bdf55322752643427c70a9b197c64c983 for attach: lsetxattr /Users/dickc-sg/Projects/github.com/dickc-sg/sample-repo/.git/objects/8b/90e4ea1b66b95e22a6035021bfb4ca78542b5d: permission denied

check yaml...............................................................Passed
Detect hardcoded secrets.................................................Passed
prettier.................................................................Passed

Worth noting this is on macOS 14.4.1, which may or may not support lsetxattr.

@rjeffman
Copy link

It seems macOS has issues setting selinux labels with lxsetattr, which requires extended attributes.

Try to set volumes without :z.

See containers/podman#13631

@TribuneX
Copy link
Author

TribuneX commented Jun 7, 2024
edited
Loading

Try to set volumes without :z.

@rjeffman I found similar suggestion. But how to do that for the pre-commit hook container?

@rjeffman
Copy link

rjeffman commented Jun 7, 2024

@TribuneX sorry, but I have no clue on how to fix that. And I just found out today that, under Linux, you may need to have :Z depending on your use case.

In my case I'm trapped between using :rw under macOS and :Z under Linux, and I wanted to have a single solution due to my use case.

@TribuneX
Copy link
Author

TribuneX commented Sep 9, 2024

Any update here regarding this issue? Any chance this can be fixed within gitleaks?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@TribuneX @rjeffman @dickc-sg