GitHub user jbampton created a discussion: Do the Docker containers run as the
root user ? Implement a Non-Root User
A quick grep found some Docker container files which seem to run as the root
user.
I looked in the files and did not see the `USER` command
```
cloudstack$ find . -type f -name '*Dockerfile*' -exec grep -L "USER " {} +
./ui/Dockerfile
./tools/docker/Dockerfile.smokedev
./tools/docker/Dockerfile.marvin
```
"Using grep -L (which lists filenames that do not contain a match), you are
likely using it to find files missing a license header or a specific string."
---
>From Google:
Implementing a non-root user in Docker containers is a fundamental security
best practice that significantly strengthens your application's defense. By
default, Docker containers run as the root user, which can grant them
unrestricted access to the underlying host system and its resources.
The primary reasons for using a non-root user include:
* Minimizing Attack Surface: Running as a non-root user limits what a container
can do if compromised. An attacker who exploits a vulnerability in your
application will only have the limited permissions of that non-privileged user,
rather than full control over the container.
* Preventing Container Breakout: If a container is compromised, a root user
inside the container can potentially "escape" to the host machine. Since
containers share the host's kernel, a root user in a container is often
equivalent to a root user on the host system, allowing an attacker to take
control of the entire server.
* Principle of Least Privilege (PoLP): This standard security practice dictates
that any process should only have the minimum permissions necessary to perform
its task. Applications, databases, and load balancers rarely need root access
to function.
* Restricting Access to Sensitive Resources: Non-root users cannot easily
access sensitive host directories if they are inadvertently mounted into the
container, nor can they interact directly with the [Docker
socket](https://www.docker.com/blog/understanding-the-docker-user-instruction/)
(/var/run/docker.sock) to control other Docker resources.
* Compliance and Platform Requirements: Many regulatory standards (like GDPR
and HIPAA) and Kubernetes distributions (like
[OpenShift](https://techdocs.broadcom.com/us/en/vmware-tanzu/bitnami-secure-images/bitnami-secure-images/services/bsi-doc/apps-tutorials-why-non-root-containers-are-important-for-security-index.html)
require or enforce the use of non-root users to ensure a secure and compliant
environment.
* Protection Against Malicious code: Using a non-root user prevents malicious
code from easily installing new system packages, modifying critical system
files, or replacing existing Docker images during runtime.
GitHub link: https://github.com/apache/cloudstack/discussions/12832
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: [email protected]
