Suggestion: run docker as non-root

nanocurrency / nano-node

Nano is digital currency. Its ticker is: XNO and its currency symbol is: Ӿ

https://nano.org

BSD 3-Clause "New" or "Revised" License

3.48k stars 783 forks source link

Suggestion: run docker as non-root #2122

Open ksemaev opened 5 years ago

ksemaev commented 5 years ago

Most of docker orchestration systems require, or at least recommend to run processes in docker as non-root. I tried it with your container, and it did work normally, so maybe you can add something like this to your dockerfile:

RUN groupadd --gid 1000 nano && \
    useradd --uid 1000 --gid nano --shell /bin/bash --create-home nano

COPY entry.sh /home/nano/entry.sh
RUN  chmod a+x /home/nano/entry.sh

WORKDIR /home/nano
USER nano

ENTRYPOINT /home/nano/entry.sh

zhyatt commented 4 years ago

Moving to V22 to ensure low upgrade resistance for V21 as faster upgrades are desired for work difficulty increase purposes.

thsfs commented 3 years ago

Added a PR for this in nano-docs repo: https://github.com/nanocurrency/nano-docs/pull/507

My1 commented 3 years ago

if this goes through we definitely need some migration like file system permissions.

but why the user 1000? which is likely the first user on the host which might not be one that's supposed to mess with anything.