Run as non-root user - Githubissues

deis / builder

Git server and application builder for Deis Workflow

https://deis.com

MIT License

40 stars 41 forks source link

Run as non-root user #194

Closed krancour closed 5 years ago

krancour commented 8 years ago

This is a best practice we should follow wherever we can.

smothiki commented 8 years ago

@krancour I think we are running as a non root user ?

krancour commented 8 years ago

Does not seem it:

[kent@mbp ~]$ k exec -it deis-builder-5qn00 -- bash
bash-4.3# whoami
root

But let's hold off on doing anything with this until after the Dockerfile's been refactored for Ubuntu Slim-- which I am working on. Otherwise, there's just going to be an unresolvable merge conflict and we'll make extra work for ourselves.

bacongobbler commented 8 years ago

Yeah I think openssh is running as root in order to bind to port 22.

smothiki commented 8 years ago

@krancour I think the new ubuntu slim image is not running builder as root . Let me know if this isn;t fixed

arschles commented 8 years ago

bumping from RC1, as this is not critical for the RC

krancour commented 8 years ago

That's fine.

bacongobbler commented 8 years ago

The server itself is still running as root, so this is not yet resolved. All processes should be run as non-root. If any of them are compromised, the user has root level access and could break out of the container onto the host.

root@deis-builder-ef12k:/# ps faux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root        15  1.0  0.0  18288  3360 ?        Ss   17:53   0:00 bash
root        25  0.0  0.0  34428  2808 ?        R+   17:53   0:00  \_ ps faux
root         1  0.1  0.2 224688 23076 ?        Ssl  17:52   0:00 /usr/bin/boot s

Cryptophobia commented 6 years ago

This issue was moved to teamhephy/builder#32