Docker container runs as root by default which is insecure #295
Comments
|
I'd dispute that it is "very insecure". It is a docker container, which in itself is encapsulation regardless of user. (this is the default for spring boot applications btw, the official gradle plugin produces similar docker files). I'll accept PRs for security hardening though. |
|
By itself technically no but if someone were to manage to break out of the docker container using some other hack as the 'run as' user that would give them access to the host machine as root. I'm not familiar with the format or the build process you are using is there documentation as to how this works The build process works fine, although i'm assuming some config is require to make the firefox UI tests work but i'm not really concerned about that, although one the docker image is built I'm not sure what to set JAVA_OPTS to. |
|
Build process is simply a dockerfile https://github.com/F43nd1r/Acrarium/blob/master/acrarium/Dockerfile |
Careful, this depends on the user running docker on the host, not the user within the container. |
Since at least some instances will run on Kubernetes this can be a security issue (albeit quite easy to fix), for more information take a look at this: https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/#8-run-containers-as-a-non-root-user And user namespaces are still not supported by Kubernetes as of today. (kubernetes/enhancements#127) |
Execing into the container shows that the container by default runs as root user which is very insecure. Dockerfile should be changed to use a non root user.
The text was updated successfully, but these errors were encountered: