Run as non-root user

[krancour]

This is a best practice we should follow wherever we can.

[smothiki]

@krancour I think we are running as a non root user ?

[krancour]

Does not seem it:

[kent@mbp ~]$ k exec -it deis-builder-5qn00 -- bash
bash-4.3# whoami
root

But let's hold off on doing anything with this until after the Dockerfile's been refactored for Ubuntu Slim-- which I am working on. Otherwise, there's just going to be an unresolvable merge conflict and we'll make extra work for ourselves.

[bacongobbler]

Yeah I think openssh is running as root in order to bind to port 22.

[smothiki]

@krancour I think the new ubuntu slim image is not running builder as root . Let me know if this isn;t fixed

[arschles]

bumping from RC1, as this is not critical for the RC

[krancour]

That's fine.

[bacongobbler]

The server itself is still running as root, so this is not yet resolved. All processes should be run as non-root. If any of them are compromised, the user has root level access and could break out of the container onto the host.

root@deis-builder-ef12k:/# ps faux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root        15  1.0  0.0  18288  3360 ?        Ss   17:53   0:00 bash
root        25  0.0  0.0  34428  2808 ?        R+   17:53   0:00  \_ ps faux
root         1  0.1  0.2 224688 23076 ?        Ssl  17:52   0:00 /usr/bin/boot s

[Cryptophobia]

This issue was moved to teamhephy/builder#32