Closed dabooz closed 3 years ago
See the service user like this:
docker exec -it <container-id> /bin/sh
ps
PID USER TIME COMMAND
1 root 0:01 {service.sh} /bin/sh /service.sh
Some initial research here I will begin testing with when I dive into this issue soon: https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b
Added the following to the helloworld
Dockerfile for amd64
# Create hzngroup and hznuser
RUN addgroup -S hzngroup && adduser -S hznuser -G hzngroup
# Run container as hznuser user
USER hznuser
Resulted in the process running as the appuser
instead of root
root@adonis1:~/helloworld# docker exec -it 1d186d949242 /bin/sh
/ $ ps
PID USER TIME COMMAND
1 appuser 0:00 {service.sh} /bin/sh /service.sh
12 appuser 0:00 /bin/sh
18 appuser 0:00 sleep 3
19 appuser 0:00 ps
PR submitted for helloworld
and cpu2evtstreams
to run as non-root user, but the the lower level services (such a cpu
and gps
) bind to port 80 with requires root privileges.
I'm closing this issue and opening a future issue to change them to port 8080 so they can also run as non-root
A security vulnerability analysis will show that apps running as root in a container are potentially dangerous, and therefore the examples should show best practices.
Some more background from dave: further, some of the currently know exploits on linux occur when the linux container support is invoked as root, when running inside the container as root. This is the gist of why security people are concerned about running as root in a container....because it allows an attacker to exploit the underlying linux code. If a container is not running root, an attacker is limited in his abilities to get to the linux kernel.
If no user is explicitly used, you will run as root. Security scan tools flag this stuff. When a customer had IBM security folks scan and try to attack IEC, the only vulnerabilities they found were the helloworld app running as root....thus I opened the issue to fix it when we get a chance, because it doesnt demonstrate best practices. As usual with security stuff, it is not clear how much of this is grounded in FUD, but it is easier to just change this.