[
https://issues.apache.org/jira/browse/OFBIZ-12795?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17711048#comment-17711048
]
ASF subversion and git services commented on OFBIZ-12795:
---------------------------------------------------------
Commit 8d835002e70ae14a0137e6c11679e4b9fcac2b6a in ofbiz-tools's branch
refs/heads/master from Daniel Watford
[ https://gitbox.apache.org/repos/asf?p=ofbiz-tools.git;h=8d83500 ]
Implemented: User namespace remapping (OFBIZ-12795)
Updated README to refer to the use of user namespace remapping by the
docker daemon.
Configuration changes to enable user namespace remapping are reflected
in the INFRA puppet configuration for the ofbiz-vm1 host.
> Trunk demo site: Ensure OFBiz runs as the ofbizDemo user
> --------------------------------------------------------
>
> Key: OFBIZ-12795
> URL: https://issues.apache.org/jira/browse/OFBIZ-12795
> Project: OFBiz
> Issue Type: Improvement
> Components: Demo
> Reporter: Daniel Watford
> Assignee: Daniel Watford
> Priority: Major
>
> OFBiz container instances running on the ofbiz-vm1 VM are launched by the
> ofbizDocker user.
> Within an OFBiz container a new lower-privileged user is used to run the
> OFBiz process. This user has UID 1000.
> User with UID 1000 is used within the container to ensure that should the
> OFBiz process be compromised and an attacker 'breaks out' of the container,
> then an attacker's effective UID is still 1000 and they will be restricted to
> the privileges of that user.
> An area of risk is that we have not ensured UID 1000 really is a low
> privilege user on host ofbiz-vm1. This ticket is to ensure that the internal
> container UID of 1000 really does map to a low-privilege user.
> Investigate and apply user mapping for OFBiz container instances running on
> ofbiz-vm1 to ensure processes internal to OFBiz containers effectively run as
> the ofbizDocker user.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
