[ https://issues.apache.org/jira/browse/OFBIZ-12795?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17710862#comment-17710862 ]
Daniel Watford commented on OFBIZ-12795: ---------------------------------------- INFRA have provided some advice that relates to this ticket in INFRA-24446 > Trunk demo site: Ensure OFBiz runs as the ofbizDemo user > -------------------------------------------------------- > > Key: OFBIZ-12795 > URL: https://issues.apache.org/jira/browse/OFBIZ-12795 > Project: OFBiz > Issue Type: Improvement > Components: Demo > Reporter: Daniel Watford > Assignee: Daniel Watford > Priority: Major > > OFBiz container instances running on the ofbiz-vm1 VM are launched by the > ofbizDocker user. > Within an OFBiz container a new lower-privileged user is used to run the > OFBiz process. This user has UID 1000. > User with UID 1000 is used within the container to ensure that should the > OFBiz process be compromised and an attacker 'breaks out' of the container, > then an attacker's effective UID is still 1000 and they will be restricted to > the privileges of that user. > An area of risk is that we have not ensured UID 1000 really is a low > privilege user on host ofbiz-vm1. This ticket is to ensure that the internal > container UID of 1000 really does map to a low-privilege user. > Investigate and apply user mapping for OFBiz container instances running on > ofbiz-vm1 to ensure processes internal to OFBiz containers effectively run as > the ofbizDocker user. > -- This message was sent by Atlassian Jira (v8.20.10#820010)