Open Cryptophobia opened 6 years ago
From @smothiki on May 19, 2016 18:4
@krancour I think we are running as a non root user ?
From @krancour on May 20, 2016 3:37
Does not seem it:
[kent@mbp ~]$ k exec -it deis-builder-5qn00 -- bash
bash-4.3# whoami
root
But let's hold off on doing anything with this until after the Dockerfile's been refactored for Ubuntu Slim-- which I am working on. Otherwise, there's just going to be an unresolvable merge conflict and we'll make extra work for ourselves.
From @bacongobbler on May 20, 2016 4:57
Yeah I think openssh is running as root in order to bind to port 22.
From @smothiki on May 23, 2016 22:43
@krancour I think the new ubuntu slim image is not running builder as root . Let me know if this isn;t fixed
From @arschles on May 24, 2016 20:0
bumping from RC1, as this is not critical for the RC
From @krancour on May 24, 2016 20:2
That's fine.
From @bacongobbler on May 31, 2016 17:55
The server itself is still running as root, so this is not yet resolved. All processes should be run as non-root. If any of them are compromised, the user has root level access and could break out of the container onto the host.
root@deis-builder-ef12k:/# ps faux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 15 1.0 0.0 18288 3360 ? Ss 17:53 0:00 bash
root 25 0.0 0.0 34428 2808 ? R+ 17:53 0:00 \_ ps faux
root 1 0.1 0.2 224688 23076 ? Ssl 17:52 0:00 /usr/bin/boot s
From @krancour on February 22, 2016 16:48
This is a best practice we should follow wherever we can.
Copied from original issue: deis/builder#194