Bobfrat
commented
4 years ago @benjwadams is this still an issue worth investigating while you're working in the Dockerfile?
Closed benjwadams closed 4 years ago
Bobfrat
commented
4 years ago @benjwadams is this still an issue worth investigating while you're working in the Dockerfile?
benjwadams
commented
4 years ago Yes. It looks like the previous image, based upon "Phusion Baseimage", required root to run the init system it invoked. We are now using a CentOS 7 image, so it should be feasible to use a non-root user as long as any temporary storage for NetCDF files sent to the checker are writable by said user.
benjwadams
commented
4 years ago PS: If you really want to use an init system, docker run always has the --init argument so that you can still use an init system in an image which doesn't supply one by default.
Container should not be running as user root. This is doubly true as this service is designed to take untrusted binary user input and validate it, which opens a potential attack vector should the NetCDF libraries have a vulnerability to specially crafted input files.