search

open-horizon / examples

Code examples you can use with Horizon.
Apache License 2.0
40 stars 65 forks source link

Run example apps as non-root user inside the container #263

Closed dabooz closed 3 years ago

dabooz commented 4 years ago

A security vulnerability analysis will show that apps running as root in a container are potentially dangerous, and therefore the examples should show best practices.

Some more background from dave: further, some of the currently know exploits on linux occur when the linux container support is invoked as root, when running inside the container as root. This is the gist of why security people are concerned about running as root in a container....because it allows an attacker to exploit the underlying linux code. If a container is not running root, an attacker is limited in his abilities to get to the linux kernel.

If no user is explicitly used, you will run as root. Security scan tools flag this stuff. When a customer had IBM security folks scan and try to attack IEC, the only vulnerabilities they found were the helloworld app running as root....thus I opened the issue to fix it when we get a chance, because it doesnt demonstrate best practices. As usual with security stuff, it is not clear how much of this is grounded in FUD, but it is easier to just change this.

t-fine commented 4 years ago

See the service user like this:

docker exec -it <container-id> /bin/sh
ps
PID   USER     TIME  COMMAND
    1 root      0:01 {service.sh} /bin/sh /service.sh

Some initial research here I will begin testing with when I dive into this issue soon: https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b

t-fine commented 4 years ago

Added the following to the helloworld Dockerfile for amd64

# Create hzngroup and hznuser
RUN addgroup -S hzngroup && adduser -S hznuser -G hzngroup

# Run container as hznuser user
USER hznuser

Resulted in the process running as the appuser instead of root

root@adonis1:~/helloworld# docker exec -it 1d186d949242 /bin/sh
/ $ ps
PID   USER     TIME  COMMAND
    1 appuser   0:00 {service.sh} /bin/sh /service.sh
   12 appuser   0:00 /bin/sh
   18 appuser   0:00 sleep 3
   19 appuser   0:00 ps
t-fine commented 4 years ago

PR submitted for helloworld and cpu2evtstreams to run as non-root user, but the the lower level services (such a cpu and gps) bind to port 80 with requires root privileges.

I'm closing this issue and opening a future issue to change them to port 8080 so they can also run as non-root