Warn if fabio is run as root #369
Comments
|
PostgreSQL does this and it’s been a useful safety precaution that has probably prevented many incidents. That said, it’s also extremely irritating as an operator when diving into a problem as root. Or even when I’m in a secured contained environment and there is only one process, but now I have to manage the creation and lookup of a user/UID. In an ideal world I’d rather see a big obnoxious warning when the flag is used and a once-an-hour log entry nagging the user that the process is running as root (vs only at startup time). |
|
I stand by what I said in the original thread. It is the software responsibility to do the right thing, in this case refuse to run as root. If you really really really want to (even though it is a bad idea in 99.9999% of the cases), there's a cli switch that will allow you to do that. Let's make doing the right thing the easy thing to do. +1 on the hourly WARNING when running as root, great idea. The last ~25 years has proven beyond doubt that "secure by default" is the only reasonable choice, as the large majority of users/operators WILL NOT take steps to secure their deployments and WILL ignore "a big obnoxious warning" as long as the "thing" runs. If you know what you are doing and want to run with decreased security for your environment, adding a cli switch that is clearly explained to you when you try to do something that's potentially unsafe is not a big deal. Same if you are building containers, adding a user on the build phase is trivial work and industry best practice. |
|
@mterron I agree that the software should do the right thing but there is a valid case for running fabio as Also, if users will ignore a warning in the logs then they will just use the switch if is there. :) OK, then the path forward is to refuse to run as |
|
Just 1 comment. Container root (in linux) IS the host system root. There's
a new user mapping feature but not widely deployed afaik.
|
|
That's how I understand that but you'd have to break out of the container first, right? Isn't the point of containers to prevent that? |
|
This is probably semantics, but IMO as a Security professional, containers in linux don't exist. The kernel have no idea what a container is, the only thing it knows about is cgroups and namespaces. On other OSs, a container is a kernel primitive so the control and segmentation is stronger (see Solaris/Illumos Zones) and multitenancy is possible (and encouraged). |
Fabio 1.6 will add recurring warning if fabio is run as root (UID == 0) on UNIX operating systems. It will also add an '-insecure' flag as an override. As of version 1.7 fabio will refuse to start as root without the '-insecure' flag. Fixes #369
|
I've pushed a PR which will add a recurring warning which is written to the logs during startup and once an hour if fabio is run as root. The message of the warning changes slightly when the new |
magiconair
changed the title
and |
|
This way users have time to adjust to the change in default behavior. |
Fabio 1.5.7 will add recurring warning if fabio is run as root (UID == 0) on UNIX operating systems. It will also add an '-insecure' flag as an override. As of version 1.7 fabio will refuse to start as root without the '-insecure' flag. Fixes #369
Issue #369: Do not allow to run fabio as root
|
It is now almost a year later. the dockerhub image is still running as root. why? |
|
@johnypony3 I was just back checking on this as well. We are moving all of our containers away from root user, so I will probably build my own on alpine and a non-root user. |
|
@johnypony3 feel free to submit a PR to adjust the project Dockerfile. The required changes should be adding a |
This switches off the warning ************************************************************ You are running fabio as root without the '-insecure' flag This will stop working with fabio 1.7! ************************************************************ and makes all of us feel better :-) See fabiolb#369 NOTE In my limited tests it just works (using the tutorial https://learn.hashicorp.com/tutorials/nomad/load-balancing-fabio?in=nomad/load-balancing and stopping before section "Place Nomad client nodes behind AWS load balancer"), but since I am learning Nomad/Consul/Fabio, I might be missing something.
Follow up from #195 which suggest that fabio should refuse to start as
rootunless you pass an-insecureflag. I'm still not fully convinced that users will just use the flag as workaround. Everybody has a right to shoot him/herself in the foot but I'm open for discussion.The text was updated successfully, but these errors were encountered: