search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.34k stars 699 forks source link

non-root / unprivileged docker image #668

Closed candrews closed 1 year ago

candrews commented 2 years ago

Describe the bug

It's a nice practice for security reasons to have docker images use a non-root user.

For example, nginx publishes nginxinc/nginx-unprivileged (which uses the non-root user nginx) and nginx which uses root.

Ideally, the non-root / unprivileged Dockerfile may be as simple as:

FROM clamav/clamav:0.105.1
USER clamav

and those images would be published alongside the existing (root user using) images with a suffix, for example, there would be:

How to reproduce the problem

Run a docker image, for example, docker run -it --entrypoint /bin/sh clamav/clamav, and note that the user is root.

It would be nice if one could run docker run -it --entrypoint /bin/sh clamav/clamav:latest-unprivileged and see that a non-root user is used.

candrews commented 2 years ago

https://github.com/Cisco-Talos/clamav/pull/666 would be required for this issue

micahsnyder commented 2 years ago

@candrews I believe this issue is a duplicate of https://github.com/Cisco-Talos/clamav/issues/478 Is that correct?

candrews commented 2 years ago

@candrews I believe this issue is a duplicate of #478 Is that correct?

I wasn't aware of #478, thank you for pointing it out. I've added a comment: https://github.com/Cisco-Talos/clamav/issues/478#issuecomment-1210049327

I think it's very important for both root and non-root images to be published, which I've stated in this issue, whereas the current description of #478 seems to indicate that only non-root images would be published going forward (which would be a major problem for me and IMHO a major break in backwards compatibility).

micahsnyder commented 1 year ago

Closing this one to continue discussion in #478 and I will update the title and make a comment along those lines.