Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Running a rootless container #434

Open
leoschmitz opened this issue Feb 17, 2022 · 1 comment
Open

Running a rootless container #434

leoschmitz opened this issue Feb 17, 2022 · 1 comment
Labels
help wanted

Comments

@leoschmitz
Copy link

Is your feature request related to a problem? Please describe.
Any process that might not need to be run as root could be of a potential security risk.

Describe the solution you'd like
Following the principle of least privilege, I would suggest that the container could run as a newly created system user (in the Dockerfile):

RUN groupadd --system sal && useradd --system --shell /bin/false --gid sal sal
RUN chown -R sal:sal /home/app
USER sal

Of course there would still be issues with processes that need privileges to be addressed such as cron, supervisord etc. So the code above would be just a first step.

Describe alternatives you've considered

  • Isolating sal into its own VPC
  • Overwriting the original sal image with an additional docker layer (very hackish)

Additional context
There are lots of online resources you can find related to the importance of rootless containers.

I really appreciate sal and I know this request can be challenging to implement.

Thanks in advance! :)
@grahamgilbert
Copy link
Member

I would accept a pull request to implement this. I am not going to do this myself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@grahamgilbert @leoschmitz