[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Security implications of "runAsUser: type: RunAsAny"

As of Origin 1.1 you can allow users to run as any fairly easily by
granting users access to the "anyuid" SCC.

oadm policy reconcile-sccs # review carefully
oadm policy add-acc-to-user -z default # in the current project

This allows images to run as root for just that default.  We changed
it so that if you have access to "anyuid", we don't force you into the
high uid range.  This should allow you to run as anything

On Tue, Nov 17, 2015 at 7:49 AM, Philippe Lafoucrière
<philippe lafoucriere tech-angels com> wrote:
> On Tue, Nov 17, 2015 at 3:35 AM, Charles Sabourdin
> <kanedafromparis gmail com> wrote:
>> I wonder, since the docker will be map using a dedicated route, don't you
>> think it's wiser (more secure) to let run ngnix on another port with less
>> privileges let's say 9090 then map your openshift route to it ?
>> (It might not be that simple, but worth asking ;-)
> I would love to be able to that :)
> Anyway, using the official nginx image (https://hub.docker.com/_/nginx), or
> many other images is just impossible.
> Even if nginx will fork with an unprivileged user (nginx or www-data), the
> main process must start with the user "root".
> In your pod, the user will have an id like 1000030000 (or 1000040000...),
> instead of 0. nginx will fail to create its temp directory. Using a wrapper
> to create a virtualhost file is also impossible, because the /etc/nginx will
> be readonly. Even if you create a new image:
> FROM nginx
> RUN chmod 777 -R /var/cache/nginx /etc/nginx
> the container cannot start, because /var/cache/nginx is a volume, and chmod
> will have no effect on its permissions.
> We end up with chmod 777 everywhere, which seems worth in terms of security
> for me, not to mention openshift users simply can't use docker official
> images :(
> That's a serious issue for us.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]