[jira] [Commented] (JAMES-3818) [JIB] Avoid using root as a user

Thu, 22 Sep 2022 03:23:05 -0700 


    [ 
https://issues.apache.org/jira/browse/JAMES-3818?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17608207#comment-17608207
 ] 

René Cordier commented on JAMES-3818:
-------------------------------------

I tried to get a crack at it (on TMail but the docker build is similar) -> 
https://github.com/linagora/tmail-backend/pull/476

So as explained there, the problem with the `nobody` user that seems somewhat 
present in a linux shipped docker distrib is not a good option...

Everything still belongs to root user. So as soon as you try to create files or 
write anything, it's not working (permissions issues). You can't use glowroot, 
profiler, CLI, provisionning, ...

Because the JIB community does not seem to want to take the responsibility of 
this best practice in their build, they push it up to the base image. So if we 
want to do that we would need to create and maintain our own base image where 
we create a james user, a working directory, and make the james user owning it.

But if the hope was to get that out of the box with JIB, it's not possible I'm 
afraid.

> [JIB] Avoid using root as a user
> --------------------------------
>
>                 Key: JAMES-3818
>                 URL: https://issues.apache.org/jira/browse/JAMES-3818
>             Project: James Server
>          Issue Type: Improvement
>          Components: docker
>    Affects Versions: master
>            Reporter: Benoit Tellier
>            Priority: Major
>
> JIB by default uses root as a user for the app within the container, which 
> can raise security question, and is against best practices.
> To quote 
> https://docs.docker.com/develop/develop-images/dockerfile_best-practices/
> {code:java}
> If a service can run without privileges, use USER to change to a non-root 
> user. Start by creating the user and group in the Dockerfile with something 
> like:
> RUN groupadd -r postgres && useradd --no-log-init -r -g postgres postgres
> {code}
> With JIB it is fairly easy to use the `nobody` user though I did stop my 
> investigations on permission management (for files add).
> It might require us to switch things out of the root folder. The JIB 
> community do not seem to actively go in that direction too...
> I'm not actively working in this but if somebody wants to get a try...



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Reply via email to