Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Run as non-root user #32

Open
Cryptophobia opened this issue Mar 21, 2018 · 7 comments
Open

Run as non-root user #32

Cryptophobia opened this issue Mar 21, 2018 · 7 comments

Comments

@Cryptophobia
Copy link
Member

From @krancour on February 22, 2016 16:48

This is a best practice we should follow wherever we can.

Copied from original issue: deis/builder#194

@Cryptophobia
Copy link
Member Author

From @smothiki on May 19, 2016 18:4

@krancour I think we are running as a non root user ?

@Cryptophobia
Copy link
Member Author

From @krancour on May 20, 2016 3:37

Does not seem it:

[kent@mbp ~]$ k exec -it deis-builder-5qn00 -- bash
bash-4.3# whoami
root

But let's hold off on doing anything with this until after the Dockerfile's been refactored for Ubuntu Slim-- which I am working on. Otherwise, there's just going to be an unresolvable merge conflict and we'll make extra work for ourselves.

@Cryptophobia
Copy link
Member Author

From @bacongobbler on May 20, 2016 4:57

Yeah I think openssh is running as root in order to bind to port 22.

@Cryptophobia
Copy link
Member Author

From @smothiki on May 23, 2016 22:43

@krancour I think the new ubuntu slim image is not running builder as root . Let me know if this isn;t fixed

@Cryptophobia
Copy link
Member Author

From @arschles on May 24, 2016 20:0

bumping from RC1, as this is not critical for the RC

@Cryptophobia
Copy link
Member Author

From @krancour on May 24, 2016 20:2

That's fine.

@Cryptophobia
Copy link
Member Author

From @bacongobbler on May 31, 2016 17:55

The server itself is still running as root, so this is not yet resolved. All processes should be run as non-root. If any of them are compromised, the user has root level access and could break out of the container onto the host.

root@deis-builder-ef12k:/# ps faux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root        15  1.0  0.0  18288  3360 ?        Ss   17:53   0:00 bash
root        25  0.0  0.0  34428  2808 ?        R    17:53   0:00  \_ ps faux
root         1  0.1  0.2 224688 23076 ?        Ssl  17:52   0:00 /usr/bin/boot s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant