Run as unprivileged user mapped to a host user/group

tobybatch / kimai2

Docker containers for the kimai2 web application including docker-compose and kubernetes/helm deployment.

MIT License

183 stars 97 forks source link

Run as unprivileged user mapped to a host user/group #31

Closed ghost closed 4 years ago

ghost commented 5 years ago

It would be great if these images supported right off the shelf to run as an unprivileged user. One potential option to do this is to use a similar RUN entrypoint as linuxserver.io images use:

https://docs.linuxserver.io/general/understanding-puid-and-pgid

Right now, it should not be too difficult to leverage FPM through a socket which another container or host reverse proxy can use to serve the static content and actual PHP processing. This would significantly enhance the 'default' security of the application, so as long as the container itself is properly initialized and configured, saving major Docker-specific vulnerabilities.

:-)

tobybatch commented 5 years ago

I'll pop this on my to-do list. or if you want it badly then raise a PR and I'll incorporate it.

ghost commented 5 years ago

I can help. How about an easy fpm based image? alpine + fpm. TCP based socket for fpm, internal network for the container with an optional nginx instance (or similar). I would use a reverse proxy but whatever works there.

Take a look at the Dockerfile for some of the linuxserver.io images, they basically do sanity checks in the entrypoint script and change the owner of any tmp or data files and directories, then drop privileges (or do so in the dockerfile).

tobybatch commented 5 years ago

There is already an FPM image, tagged as fpm-alpine-X.X

It auto builds from here https://github.com/tobybatch/kimai2/tree/master/build/fpm-alpine

Does that help?

ghost commented 4 years ago

Yes, this should help, so far what I see in the fpm image:

No privileged ports used, which makes it a lot easier to avoid extra capabilities and permissions in the container.
FPM could use an user created in the Dockerfile taken from ENV settings. Nginx I suppose would still run as www-data inside the container. I think the issue here is mapping the www-data user to an outside GID/UID in the host.

I will check what others are doing in similar images, but if you have time, feel free to take a look at some of the linuxserver.io images. There should be some fpm-based ones. I can take a look later and paste some links.

tobybatch commented 4 years ago

I totally understand the issue, and the technology needed to solve it but I'm a little busy at work right now. If you want to make the changes and raise a PR that would be ideal. Else we'll just need to wait until I get a break from my current projects.

tobybatch commented 4 years ago

Now runs as www-data