ergo should not run as root inside the docker container #1820
Comments
|
One way to do this might be to switch from using alpine as a base to distroless, which has a non-root variant. In addition to not running as root, that avoids shipping a shell, the apk command, and so on, which makes the image much smaller and reduces the attack surface if ergo did somehow have a remote code execution vuln The wrinkle with that is ergo currently uses a shell script as an entrypoint which creates a config file with randomised oper password + makes certificates if they don't exist. I wonder if those behaviours could be subsumed into ergo proper (as flags)? If not the script could be replaced with a small go app that does the same thing, I guess. |
|
Yeah, that's interesting. On the one hand, a smaller container is quite appealing. On the other, I actually found the shell quite useful for debugging (I could enter the container, look at file permissions, run netcat, etc.). Also, from the looks of GoogleContainerTools/distroless#550, distroless does not solve the problems addressed by dumb-init. |
|
I have no objections in principle to modifying ergo itself to handle initialization of a randomized operator password. We could potentially roll our own thing that pulls in just ergo, dumb-init, and busybox? That would give us a shell. |
See item 2 here: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
This should probably use the
USERDockerfile command, but we have to pay attention to backwards compatibility issues.The text was updated successfully, but these errors were encountered: