Open rare-magma opened 3 weeks ago
Hey, thanks a lot for the PR ! This sounds good to me, but it seems there's incompatibility with su-exec
.
% sudo docker run --cap-drop=ALL --cap-add=SETUID --cap-add=SETGID -v ~/LocalDirToShare:/shared -p 8001:8001 gossa
su-exec: setgroups(1000): Operation not permitted
Cf. Dockerfile's USER directive is incompatible with su-exec, basically nobody
is not allowed to run su-exec. I'll dig into possible solutions for this, maybe su-exec isn't necessary if we run as nobody already.
That's interesting @pldubouilh , I tested this on podman and didn't face that issue, perhaps there's some difference in the implementation between the two? In that case we could drop the SETUID and SETGID capabilities then I think.
@pldubouilh I found a solution for the issue you mentioned and tested both on docker and podman (both as root and non root), please let me know what you think.
This PR hardens the security of the container by:
su-exec
andentrypoint.sh
It also adds a default healthcheck command.
For more info see https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-3-limit-capabilities-grant-only-specific-capabilities-needed-by-a-container