Problems hardening the image according to CIS benchmarks

[ioah86]

The CIS benchmark 2.3.3 for NGINX requires the nginx.pid file to be owned by root:root and readable by anyone else.

According to best practices for Dockerfiles, one should run processes as non-root user: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user

Now, when I pull from this image and create a Dockerfile which ends in

USER nginx

I get the issue that the nginx.pid file is not readable. Is it possible to create an image where the PID file is owned by root, readable by others, and the executing user of the CMD is not root?

[thresheek]

No, nginx needs to be able to write PID to a file.

[ioah86]

Yes, I am aware that it needs that. But, as you can see from my question, one is in a pickle:

Adding USER nginx at the end of the Dockerfile requires me to change the ownership/permissions on the nginx.pid file, which violates the CIS benchmark. Leaving the user as root at the end of the file violates the Docker best practice to run as non-root user.

Is there a possibility to have both in a container?

[thresheek]

It's not possible to have both. I would argue however that the only thing that runs as root in this image is the master process with a really low attack surface, most of runtime operations are done by workers with less privilege.

In any case, maybe an unprivileged image would better suit your needs? https://github.com/nginxinc/docker-nginx-unprivileged

[ioah86]

Well, the underprivileged container has chosen the path of lifting the restrictions of the PID file by putting it into /tmp . Anyway, maybe there should be a way to run the master process as non-root... Could be a feature request to NGINX in general? Just a thought.