Comments (4)
Any way you could make a PR with that? I'm not sure if you mean switching users inside of the container, or executing the container as a non-root user, or switching user when building the images.
from imagestore.
Should just need a RUN adduser --uid 1000 imagestore
and USER imagestore
. Will make a PR and test when I have time :).
from imagestore.
Perfect, thanks! Out of curiosity, any idea why this is not recommended in the Docker docs, or in other places that feature information regarding docker? It totally makes sense that this would increase security, but it's the first time I come across this.
from imagestore.
It is recommend, though maybe not as prominently as it should:
Docker documentation on kernel capabilities:
https://docs.docker.com/engine/security/#linux-kernel-capabilities
https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/#8-run-containers-as-a-non-root-user
An even bigger sin, which is more commonly discouraged is running in --priveleged
mode, which gives trivial root to the host system. Even without --priviliged
various versions of docker have allowed escaping a container by exploiting linux capabilities such as mounting, overwriting files etc.
Docker didn't originally support linux kernel capabilities (such as allowing a container to bind on ports less than <1024 through NET_BIND_SERVICE) so for convenience most base containers leave the default USER as root. This also allows you to easily easily install packages interactively and debug. Running a "production" image is quite risky, if someone is able to get root shell access to a container they can install nmap discover services, proxy into the network etc.
from imagestore.
Related Issues (20)
- Pull albums from existing source
- [Feature Request] Selecting group of photos.
- Any suggestions on performance limits? HOT 1
- Fatal error with backend HOT 5
- backend can't connect to db HOT 4
- Add shift/ctrl click to multi select between photos HOT 1
- Errors... HOT 6
- [FEATURE REQUEST] UNRAID template install
- Detectron2_1 error brand new docker install HOT 5
- No Security Or user management? HOT 3
- Feature request – basic auth
- [Feature Request] Sort uploaded photos into year/month folders based on EXIF data
- [Feature Request] Upload photos from phone HOT 10
- [Feature Request] Import directory HOT 3
- Support for RAW files? HOT 5
- Feature Request - Search by multiple tags HOT 2
- Changing to an IP adress from localhost HOT 1
- [Feature Request] Multilanguage Support HOT 2
- [Feature Request] Auto Import and Password Protection HOT 10
- Use existing images HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from imagestore.