-
Notifications
You must be signed in to change notification settings - Fork 515
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run the container without root #170
Comments
The ports that it listens on require root or somehow adding permissions (as you mentioned). I currently don't have any plans to try to figure out how to get it to run without root. Docker support ID mapping so that root in the container isn't root outside the container, which should take care of your concerns for both this container and the rest that you use. |
Hi and thanks for your quick reply! I did not know about this ID mapping feature, that's great! For others interested here is the documentation for ID mapping On the other hand, it would still be better to run as non root inside the container in case it gets compromised. I will try to do a pull request sometime. One last question: which super user permissions do you think are needed at runtime except the low port binding (which could be changed to a high port with Docker port mapping)? Thanks! |
I have no idea, which is part of the reason that I haven't ever tried. |
For what it's worth, this can be worked around with a line like this inside
Then in the
Or in a Docker Compose file: ports:
- 139:2139
- 445:2445 I have a forked version of this container that I run under a non-root UID/GID inside the container, and can even run with Unfortunately it means the entrypoint script doesn't work as a lot of its functions require root, so I am essentially just mounting a |
Missed this in my last reply but (based on my experience getting this to work) none, except binding ports <1024. Which, as you say, can be fixed with port mapping (my |
Thanks for the help! You just said the entrypoint script requires root for a lot of things, so it's not just low port bindings right? EDIT: I guess en entrypoint mostly chmod things and replaces lines in smb.conf so a smb.conf by itself should work as you pointed out. |
Ah, true, sorry for the confusion. Samba itself needs root for nothing other than the port bindings. Using this container directly (particularly the entrypoint script) does. Since I'm not using the entrypoint script it might be a stretch to even call my version of this a fork rather than simply just Samba in a container, but what I essentially did was use @dperson's container in it's standard (root) config because the command line flags really make it wonderfully easy to get Samba running. Then when I had it running nicely, I just transplanted the |
Hi there, Yes that's what I was actually doing now. I will try to dig in the entrypoint to make it root and non root friendly and have samba bind on port 8445. That way you could just run this container with An extra thing doable is to set low port binding cap to samba binary so it can bind on 445 even without root. |
Hi there,
Is there any way or plan to run this container without root? That would be great security-wise. A few options crossing my mind to achieve this, although it might not be possible:
USER: 1000
in the Dockerfile, before the entrypoint (unlikely to work)Thanks !
The text was updated successfully, but these errors were encountered: