Docker container build: Using `/root` as the work dir is not advised

ananthakumaran / paisa

Paisa – Personal Finance Manager. https://paisa.fyi demo: https://demo.paisa.fyi

https://paisa.fyi

GNU Affero General Public License v3.0

2.34k stars 117 forks source link

Docker container build: Using `/root` as the work dir is not advised #124

Open samip5 opened 7 months ago

samip5 commented 7 months ago

Hi there,

I was looking at the Dockerfile and noticed that the app root is at /root, I'm not exactly sure why one would think of putting it there, but that seems like not the greatest design decisions, so it should probably be fixed. I'm not sure if that will actually prevent the container from working as non-root.

Please instead move it to eg /app and just create the directory before changing work dir there.

ananthakumaran commented 7 months ago

Could you give more concrete reasons? Note that the docker file is already in use and making random changes would break the existing setup for users. Also, current working directly is irrelevant and all the files get stored under /root/Documents/paisa/.

samip5 commented 7 months ago

Could you give more concrete reasons? Note that the docker file is already in use and making random changes would break the existing setup for users. Also, current working directly is irrelevant and all the files get stored under /root/Documents/paisa/.

It's not irrelevant as if one mounts a block device (eg, Kubernetes environment) to said path, it will override app files instead and the permissions on that path are more than likely root:root, which will make it inaccessible to non-root user and thus making the container non-usable if one doesn't want to run it privileged.

shyamjos commented 6 months ago

Running container as a root user is not advised , suppose there is a vulnerability on the web app (eg: remote code execution), in that case the attacker can gain access to container with root user privileges. A less privileged user is always better

ananthakumaran commented 6 months ago

Though the root user inside the docker is not as powerful as the root user, agreeing with the general principle, the root user increases the scope unnecessarily. I will try to spend some time. If there are any other packaged docker app, you can share the link, would reduce the amount of research I need to do.

samip5 commented 6 months ago

Though the root user inside the docker is not as powerful as the root user, agreeing with the general principle, the root user increases the scope unnecessarily. I will try to spend some time. If there are any other packaged docker app, you can share the link, would reduce the amount of research I need to do.

There are MANY, that run as non-root. Have a look: https://github.com/onedr0p/containers.

vishalnandagopal commented 5 months ago

For this usecase, a simple

RUN ["useradd","--create-home","paisa-user"]

USER paisa-user

should suffice right @samip5 ? Or whatever the equivalent command is for alpine. And then changing workdir to /home/paisa-user/ ?

samip5 commented 5 months ago

For this usecase, a simple
RUN ["useradd","--create-home","paisa-user"]

USER paisa-user
should suffice right @samip5 ? Or whatever the equivalent command is for alpine. And then changing workdir to /home/paisa-user/ ?

I would recommend to also change the resulting workdir where the app is run from to not use /root. Examples where it could be include /app, /usr/local/app but not limited to those and also if you do create the home for the user, then the workdir should also use /home/paisa-user in your example.