dunglas / symfony-docker

A Docker-based installer and runtime for Symfony. Install: download and `docker compose up`.
https://dunglas.dev/2021/12/symfonys-new-native-docker-support-symfony-world/
2.59k stars 770 forks source link

Run container as an unprivileged user #679

Open damienfern opened 1 week ago

damienfern commented 1 week ago

Hi,

Thx for this template, very useful ! :pray:

Many resources suggest using an unprivileged user in container in order to prevent privilege escalation attacks(e.g. OWASP https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user or Docker docs https://docs.docker.com/build/building/best-practices/#user).

It seems it's not the case on this template with FrankenPHP and based on its doc, FrankenPHP can be used with an unprivileged user. Is it on purpose, or is it a feature that can be added to this template ?

7-zete-7 commented 1 week ago

Hi, @damienfern

I'm also interested in this question!

For now I'm using the following edits to run FrankenPHP as the built-in user www-data.

frankenphp/docker-entrypoint.sh

@@ -53,8 +53,9 @@
        fi
    fi

-   setfacl -R -m u:www-data:rwX -m u:"$(whoami)":rwX var
-   setfacl -dR -m u:www-data:rwX -m u:"$(whoami)":rwX var
+   chgrp -R www-data var /data /config
+   setfacl -R -m u:www-data:rwX -m u:"$(whoami)":rwX var /data /config
+   setfacl -dR -m u:www-data:rwX -m u:"$(whoami)":rwX var /data /config
 fi

-exec docker-php-entrypoint "$@"
+su -c "docker-php-entrypoint $*" -s '/bin/sh' 'www-data'

With this edit the container still runs as root, but FrankenPHP runs as www-data.

I'm not sure if this is the correct way, but in my case it works so far.

I would also be glad if this template contained information about a more correct way to run the container not as an privileged user.

dunglas commented 1 week ago

Modifying the Dockerfile like this should help: https://frankenphp.dev/docs/docker/#running-as-a-non-root-user

A doc PR explaining how to change this template to run as a non-root user is very welcome, however, we'll not do that by default, because this causes many issues.