security in docker : use an applicative user instead of root to run vuls server

future-architect / vuls

Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices

https://vuls.io/

GNU General Public License v3.0

11.01k stars 1.16k forks source link

security in docker : use an applicative user instead of root to run vuls server #1077

Open tramora opened 4 years ago

tramora commented 4 years ago

Hi, Currently (in version 0.12.3 at least) the process runs under root :

    1 root      0:00 vuls server -listen 0.0.0.0:5515 -format-json -debug -debug-sql -cvedb-type=http -cvedb-url=http://vuls-go-cve-dictionary:1323 -ovaldb-type=http -ovaldb-url=http://vuls-goval-dictionary:1324

It seems better to create and use an applicative user instead.

kotakanbe commented 4 years ago

Pull Request welcome 👍

Jiab77 commented 3 years ago

Hi @tramora, I was able to make it run while using Docker in Rootless mode. I'll add the required documentation soon.

tramora commented 3 years ago

thanx for your comments @kotakanbe & @Jiab77. Indeed, the users can use that kind of workarounds even in kubernetes.

# in the deployment yaml
securityContext:
              runAsNonRoot: true
              runAsUser: 27740
              runAsGroup: 27740
              allowPrivilegeEscalation: true

That's why this "issue" seems very low priority even if it should be simple to fix

In dockerfile

RUN apk add sudo && \
        adduser app_user -D --shell /sbin/nologin

and in the entrypoint call

/sbin/sudo --user=app_user vuls