ted-miller
commented
6 months ago I don't understand why this is a concern. Since it's running in an isolated container, why does it matter?
Closed gavanderhoorn closed 6 months ago
ted-miller
commented
6 months ago I don't understand why this is a concern. Since it's running in an isolated container, why does it matter?
gavanderhoorn
commented
6 months ago Docker containers are typically started using the docker cli. This talks to the Docker daemon via a socket. The Docker daemon typically runs with super user privileges.
Running processes inside a Docker container as root makes it 'easier' to escape the container and then use those privileges to attack the host system.
If there are any security issues with the Agent, this would complicate exploiting them just a little bit.
It's a minor change in a command users typically copy-paste so should not really change UX.
As per title.
The Agent does not have to be run as
rooton Linux systems. The example command-line we show by default will do just that.By adding
--user=$(id -u):$(id -g)we ask Docker to start the Agent binary as the same user that runs the command, which is much better.