-
-
Notifications
You must be signed in to change notification settings - Fork 106
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Running processes as root helps attackers #18
Comments
I totally agree and this is on my radar. I am hoping this will be fixed in #15. The only problem I had was if I set it to I will definitely be revisiting this because its one of the bigger worries I had about this set up. |
Please be aware that |
Setting user in a Docker image should be the last step. I hope you do not intent to install packages in a running container! |
No, this would be like this... Problem
For example(I think I tried this earlier) On a downstream docker project, I might want a new
☝️ If I have Thoughts? |
Done! |
I will definitely give this a whirl, thanks!! |
Here is an update on this: Problem
How to recreate the problem1. Copy my Dockerfile
2. Build my Dockerfile locally
3. Run the local image
Important note:
Things that concern meI don't even know if this is possible to run as a "non-root" user due to how PHP-FPM is structured. I'm pretty sure PHP-FPM needs root in order to start its processes. Other repos that are running PHP as "root"These very talented groups are also not running things as an unprivileged user:
What I think I might have to doMy gut feeling is telling be that I will:
Calling in help@szepeviktor: Are you aware of any examples of projects running PHP as an unprivileged user? |
Hello! It is highly popular to give a sh*t about what is(is going on) inside a container. Actually it is a novice mistake to run something as root - no matter whether inside a container or not. S6 Overlay needs to run as root but it does not mean that PHP-FPM needs too. |
Thanks for chiming in! You confirmed my assumptions. I will need to remove the extra arguments on this line: docker-php/php/7.4/cli/Dockerfile Line 51 in 718f310
If I leave those lines in there above, PHP-FPM will not be able to start correctly because its trying to start the master process as Instead, I will have Does that sound like a good approach? |
BTW Debian uses https://github.com/krallin/tini |
At first glace yes. |
php-fpm.conf could have |
Thanks! I have this set already.
Interesting! I will play around with this. Thanks!! |
It is open-source. You can spend weeks with it! |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Please consider avoiding root (UID 0) and system users (UID 1-999) e.g. www-data.
Least privileges come with normal users.
The text was updated successfully, but these errors were encountered: