Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run as non-root #9

Closed
BenjaminHae opened this issue Aug 24, 2018 · 5 comments
Closed

Run as non-root #9

BenjaminHae opened this issue Aug 24, 2018 · 5 comments
Assignees
@ckulka
Labels
enhancement wontfix

Comments

@BenjaminHae
Copy link

BenjaminHae commented Aug 24, 2018
edited
Loading

It is good practice to explicitly define a user to run the container as on start, for example like this:
docker run -e USER_ID=997 -e GROUP_ID=997 ckulka/baikal:nginx
This leads to conflicts because of php-fpm can't access /run/php and chown -R nginx:nginx /var/www/baikal/Specific needs root permissions.

Do you see a way to follow good practice with your image?
@languitar
Copy link
Contributor

I think all content in the container drops privileges automatically. nginx and php workers use uid 101

@ckulka
Copy link
Owner

ckulka commented Aug 28, 2018

Hi @BenjaminHae ,

I could only find using a non-root user in the official Best practices for writing Dockerfiles article, which the nginx image variant already does since it's based on the official nginx image (user nginx inside the container, UID 101, GID 101, as @languitar said).

I think you mean something different though: specifying yet another UID/GID to be used to run the process, which would have to be dynamically configured while the container is started. Can add a link to the best practice you mentioned so that I can read up and look into it?

@BenjaminHae
Copy link
Author

Hi @ckulka,

I think the best reference is the CIS Benchmark for Docker.
You can find it in section 4.1 "Ensure a user for the container has been created".

@JOduMonT
Copy link

@BenjaminHae being able to change to UID and GID is interesting but,
it's not because this container don't permit this manipulation
than it means the service(s) inside the container run as root.

As you could notice at the line 33 nginx is the owner of /var/www/baikal

If you so concern about the security you should run your docker-daemon with the parameter --userns than any container, even those run service as root, will not have root privilege on your host.

Another best practice is to not trust the community and to build your own container and maintain them.

@ckulka ckulka self-assigned this Aug 25, 2019
@ckulka
Copy link
Owner

ckulka commented Aug 25, 2019

Given a separate user exists and nginx runs as that non-root user (user is nginx, UID is 101, GID is 101), I'll close this for now.

If there's a need for a dynamic user id, i.e. a configurable UID and GID of the user that runs nginx, let's open an issue with that enhancement request... especially since this will require some custom code to dynamically create the user, update the configuration and all file permissions.

@ckulka ckulka closed this as completed Aug 25, 2019
@LairdTurner LairdTurner mentioned this issue Feb 18, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ckulka ckulka

Labels
enhancement wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@languitar @ckulka @JOduMonT @BenjaminHae