20 and #34 introduced containerization in production mode, #86 will extend it to development mode.
However the processes are run as root in the containers, one could argue that even if an attacker manages to exploit the website and get a shell (it would then be a root shell) they would still be in the container, so separated from the actual server.
But what if they manages to docker escape? or what if they simply installs parasite processes, for example to spy on users or exploit our server computation resources? One could theoretically could do that from within the container.
This issue arises to me when working on the mongodb image/container for #95 and I read this:
comparison from bitnami about root/non-root containers.
Anyway running containers as root is still a bad habit.
Problem
Run an exposed to the internet process as root is a bad security habit, even in a container.
Solution
We should refactor both dev and production mode (meaning environment so Dockerfiles and docker-compose files) to run processes as unprivileged users.
We could let the development environment as is but in order to detect bugs as early as possible, development and production environment (as well as test env) should be as similar as possible. So I'd prefer to refactor both!
Context
20 and #34 introduced containerization in production mode, #86 will extend it to development mode.
However the processes are run as root in the containers, one could argue that even if an attacker manages to exploit the website and get a shell (it would then be a root shell) they would still be in the container, so separated from the actual server. But what if they manages to docker escape? or what if they simply installs parasite processes, for example to spy on users or exploit our server computation resources? One could theoretically could do that from within the container. This issue arises to me when working on the mongodb image/container for #95 and I read this: comparison from bitnami about root/non-root containers.
Anyway running containers as root is still a bad habit.
Problem
Run an exposed to the internet process as root is a bad security habit, even in a container.
Solution
We should refactor both dev and production mode (meaning environment so Dockerfiles and docker-compose files) to run processes as unprivileged users. We could let the development environment as is but in order to detect bugs as early as possible, development and production environment (as well as test env) should be as similar as possible. So I'd prefer to refactor both!
We could encounter issues with mounted volume.