Audit containers that run root

EnigmaCurry / d.rymcg.tech

A collection of self-hosted docker-compose projects with Traefik reverse proxy, integrated auth, and administrative Makefiles for easy maintainance

MIT License

52 stars 8 forks source link

Open EnigmaCurry opened 1 year ago

EnigmaCurry commented 1 year ago

Many containers don't really need to run as root, or even if they do, they don't need quite as many capabilities as Docker gives by default.

There should also be a checker that finds the user that each container runs as, and show the capabilities added.

Making changes in #13

EnigmaCurry commented 1 year ago

New make audit target prints report on capabilities of each service container

The following containers have been worked on to reduce privileges in #13 :

Traefik - no longer needs root. The same UID needs to exist on the host. create with make traefik-user
whoami - runs as a normal user, customize WHOAMI_UID and WHOAMI_GID.
sftp - runs as root, but drops all unnecessary privileges.

EnigmaCurry commented 1 year ago

In #14 worked on cryptpad, baikal, bitwarden, and archivebox, all perform CAP_DROP ALL

EnigmaCurry commented 1 year ago

Efforts are on-going to reduce privileges, see SECURITY.md

EnigmaCurry commented 2 weeks ago

I have added recommendations for dropping privileges in SECURITY.md