Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Running the container as non-root #78

Closed
jeremych1000 opened this issue Feb 26, 2019 · 2 comments
Closed

Running the container as non-root #78

jeremych1000 opened this issue Feb 26, 2019 · 2 comments

Comments

@jeremych1000
Copy link

Expected Behavior

The container only contains a single binary, and therefore should be able to run without the need for root.

Current Behavior

The container runs as root, as there is no USER defined in the Dockerfile. This is not best practice, and opens unnecessary conversations with people who utter the word 'security' every few words ;)

Possible Solution

Add a USER line in the dockerfile.

Steps to Reproduce (for bugs)

  1. Deploy oauth2-proxy using the helm chart
  2. kubectl exec -i -t <pod> -- ash
  3. whoami shows root

Context

Trying to use oauth2-proxy in a client environment running in Azure. Currently using Kubernetes. Client security team are very conscious of containers running as root.

Your Environment

Azure AKS, Kubernetes cluster, oauth2-proxy deployed using official helm chart found at https://github.com/helm/charts/tree/master/stable/oauth2-proxy

  • Version used:
    aks: Kubernetes v1.11.6
    repository: "quay.io/pusher/oauth2_proxy"
    tag: "v3.1.0"
This was referenced Mar 2, 2019
Closed
Merged
aigarius pushed a commit to aigarius/oauth2_proxy that referenced this issue Mar 8, 2019
@karlskewes @aigarius
Potentially breaking change: docker user & group
b788b0d 
Run as non-root user and group

In the unlikely event that you are currently persisting data to disk then this
change may break file read/write access due to a change in the UID/GID that the
oauth2_proxy process runs as.

Run as non-root system user and group `oauth2proxy` with UID/GID `2000` to avoid clashing with typical local users.
An alternative to creating a separate user is to ~~chown binary and~~ run as `USER nobody`, which also works, can amend this PR if required.

Least access privileges.
Close: oauth2-proxy#78

Locally with Docker (`-version`):
```
$ ps aux | grep oauth2
2000     25192  6.0  0.0      0     0 ?        Ds   15:53   0:00 [oauth2_proxy]
```

Running in Kubernetes 1.13 with the following also specified:
```
        securityContext:
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 10001
```
```
$ kubectl exec -it -n oauth2-proxy oauth2-proxy-85c9f58ffc-dz9lr sh
/opt $ whoami
whoami: unknown uid 10001
/opt $ ps aux
PID   USER     TIME  COMMAND
    1 10001     0:00 /opt/oauth2_proxy --whitelist-domain=.example.com --cookie-domain=example.com --email-domain=example.com --upstream=file:///dev/null --http-address=0.0.0.0:4180
   11 10001     0:00 sh
   17 10001     0:00 ps aux
```

<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->

- [x] My change requires a change to the documentation or CHANGELOG.
- [x] I have updated the documentation/CHANGELOG accordingly.
- [x] I have created a feature (non-master) branch for my PR.
@jeremych1000
Copy link
Author

Will this change be included in the next release?
Right now I can't version lock the docker image as this is only in latest/master.

@JoelSpeed
Copy link
Member

Yes, I will be creating a release soon, ideally within a week

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JoelSpeed @jeremych1000