-
Notifications
You must be signed in to change notification settings - Fork 178
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ergo should not run as root inside the docker container #1820
Comments
One way to do this might be to switch from using alpine as a base to distroless, which has a non-root variant. In addition to not running as root, that avoids shipping a shell, the apk command, and so on, which makes the image much smaller and reduces the attack surface if ergo did somehow have a remote code execution vuln The wrinkle with that is ergo currently uses a shell script as an entrypoint which creates a config file with randomised oper password + makes certificates if they don't exist. I wonder if those behaviours could be subsumed into ergo proper (as flags)? If not the script could be replaced with a small go app that does the same thing, I guess. |
Yeah, that's interesting. On the one hand, a smaller container is quite appealing. On the other, I actually found the shell quite useful for debugging (I could enter the container, look at file permissions, run netcat, etc.). Also, from the looks of GoogleContainerTools/distroless#550, distroless does not solve the problems addressed by dumb-init. |
I have no objections in principle to modifying ergo itself to handle initialization of a randomized operator password. We could potentially roll our own thing that pulls in just ergo, dumb-init, and busybox? That would give us a shell. |
See item 2 here: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
This should probably use the
USER
Dockerfile command, but we have to pay attention to backwards compatibility issues.The text was updated successfully, but these errors were encountered: