search

Sundhedsdatastyrelsen / ehdsi

Danish implementation of MyHealth @ EU – eHealth Digital Service Infrastructure (eHDSI)
MIT License
2 stars 0 forks source link

Run docker images as non-root users #6

Open hansbugge opened 4 months ago

hansbugge commented 4 months ago

We should not run the services as root.

For the Tomcat Docker images, we can probably add something along the lines of 

RUN groupadd -g 1000 tomcat && \
  useradd -r -u 1000 -g tomcat tomcat && \
  chown -R tomcat:tomcat /usr/local/tomcat/bin /usr/local/tomcat/webapps /usr/local/tomcat/conf /usr/local/tomcat/logs

USER tomcat

to the Dockerfiles and hopefully be good to go.

CBrams commented 4 months ago

I don't disagree that this would probably be optimal, but why do we want to be doing this? Is it to meet some testing standard? Just curious 😄

Is this a security concern? While I agree that it theoretically probably increases the security of the container, it seems like something we could do when we don't have anything better to focus on. The container is already limited to communicating on specific ports, and if a potential attacker gets access to the container, he can already access whatever files the user we configured runs.

I think an easier way to accomplish basically the same thing, would probably be to use multi stage builds, and just only include the files we need to run in the container (something I think we already somewhat do)

hansbugge commented 3 months ago

Running the containerised process as non-root is best practice from a security perspective because it adds a layer of defence. It is especially relevant when the container runtime itself runs as root, which is the case with Docker, because then the root user in the container is the same as the root user on the host machine.

It is a case of the principle of least privilege. Services should run with service accounts that only allow them to fulfil their job, and that goes for containers as well as traditional servers.

Some container runtimes, e.g. OpenShift, do not allow for container processes running as root.

I agree that it is not super high priority, but there's a chance that we'll run into a security checklist that requires it.

https://stackoverflow.com/questions/68155641/should-i-run-things-inside-a-docker-container-as-non-root-for-safety https://www.redhat.com/en/blog/understanding-root-inside-and-outside-container