dont put www-data user in the root group

cachethq / Docker

A Dockerized version of Cachet.

https://cachethq.io

BSD 3-Clause "New" or "Revised" License

415 stars 280 forks source link

dont put www-data user in the root group #307

Closed nzin-appdirect closed 6 years ago

nzin-appdirect commented 6 years ago

In the current Dockerfile, user www-data belongs to root group. When using a security scanner on docker image, CachetHQ raise alarm because operations are done with root group. I think it is not a good practice, so I created this PR. And test it locally But I was not able to make make test working properly (on my local Mac)

cit1zen commented 6 years ago

The root group thing was done to make container work in OpenShift clouds (Official guidelines).

AFAIK root group is not privileged, but it could be beneficial to remove unnecessary privileges.

nzin-appdirect commented 6 years ago

Ok, so we cannot remove the root group? :-) (i have to admit, keeping root group is counter intuitive...)

cit1zen commented 6 years ago

If you don't want to create special image only for OpenShift or do some nasty hacks, then no. At least that is how I understand it.

nzin-appdirect commented 6 years ago

ok, I will close the ticket then. I dont want to do ugly hack anywhere! ;-)