[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Security implications of "runAsUser: type: RunAsAny"




On Tue, Nov 17, 2015 at 3:35 AM, Charles Sabourdin <kanedafromparis gmail com> wrote:

I wonder, since the docker will be map using a dedicated route, don't you think it's wiser (more secure) to let run ngnix on another port with less privileges let's say 9090 then map your openshift route to it ?

(It might not be that simple, but worth asking ;-)


I would love to be able to that :)
Anyway, using the official nginx image (https://hub.docker.com/_/nginx), or many other images is just impossible.
Even if nginx will fork with an unprivileged user (nginx or www-data), the main process must start with the user "root".
In your pod, the user will have an id like 1000030000 (or 1000040000...), instead of 0. nginx will fail to create its temp directory. Using a wrapper to create a virtualhost file is also impossible, because the /etc/nginx will be readonly. Even if you create a new image:

FROM nginx
RUN chmod 777 -R /var/cache/nginx /etc/nginx

the container cannot start, because /var/cache/nginx is a volume, and chmod will have no effect on its permissions.
We end up with chmod 777 everywhere, which seems worth in terms of security for me, not to mention openshift users simply can't use docker official images :(

That's a serious issue for us.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]