From 682322d5641a2351a683189a3345396b899ccdbf Mon Sep 17 00:00:00 2001 From: anti Date: Fri, 10 Apr 2026 02:25:45 -0400 Subject: [PATCH] fix(conpot): Resolve silent crash by running as nobody and ensuring permissions --- templates/conpot/Dockerfile | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/templates/conpot/Dockerfile b/templates/conpot/Dockerfile index 1c7db01..0c688b4 100644 --- a/templates/conpot/Dockerfile +++ b/templates/conpot/Dockerfile @@ -3,12 +3,18 @@ FROM ${BASE_IMAGE} USER root -# Temporary fix: Conpot's default config binds Modbus to a non-privileged port (like 5020). -# DECNET requires it to bind directly to 502 for the honeypot to work as expected. -# We search the template directories and replace the port configuration. -# This is a temporary fix pending an upstream PR from the Conpot maintainers. +# Replace 5020 with 502 in all templates RUN find /opt /usr /etc /home -name "*.xml" -exec sed -i 's/5020<\/port>/502<\/port>/g' {} + 2>/dev/null || true RUN find /opt /usr /etc /home -name "*.xml" -exec sed -i 's/port="5020"/port="502"/g' {} + 2>/dev/null || true -# Switching back to the internal user if standard in conpot (falling back to nobody/conpot as appropriate) -# End of Dockerfile +# Install libcap to allow binding to 502 +RUN (apt-get update && apt-get install -y --no-install-recommends libcap2-bin 2>/dev/null) || (apk add --no-cache libcap 2>/dev/null) || true + +# Apply setcap to python binaries +RUN find /usr /opt -type f -name 'python*' -exec setcap 'cap_net_bind_service+eip' {} \; 2>/dev/null || true + +# Make sure all conpot-related directories are writable by everyone so 'nobody' can run it +RUN chmod -R 777 /var/log/conpot /opt/conpot /home/conpot /usr/local/lib/python*/site-packages/conpot/tests/data /tmp 2>/dev/null || true + +# Run as nobody, which avoids the root-check failure and the missing 'conpot' user error +USER nobody