Docker-在ENTRYPOINT中切换到非root用户安全吗? [英] Docker - is it safe to switch to non-root user in ENTRYPOINT?
问题描述
运行root特权 ENTRYPOINT ["/bin/sh",entrypoint.sh] 是否被认为是安全的做法,后来又在运行该应用程序之前切换到非root用户?/p>
更多内容:
有很多文章( 1 , 4 , 和Dockerfile中的 调用 这是否意味着我的容器在具有该根进程的情况下正在运行一个漏洞,还是被认为是安全的? 我对此主题的讨论很少( 6 ,
COPY entrypoint.sh/entrypoint.shENTRYPOINT ["/bin/sh","entrypoint.sh"]CMD ["/usr/bin/myapp"] docker top container 时,我可以看到两个进程,一个根目录和一个非根目录
PID用户时间命令5004 root 0:00 runuser -u appuser/usr/bin/myapp5043 1000 0:02/usr/bin/myapp
我只是浏览了哪些相关文献(阿德里安·穆阿特(Adrian Mouat)的 Docker ,利兹·赖斯(Liz Rice)的容器安全性)说出这个话题,并添加我自己的想法:
被引用的最佳实践中,以非根用户身份运行容器的主要目的是为了避免由于应用程序代码中的漏洞而导致容器崩溃.自然地,如果您的应用程序以root身份运行,则您的容器可以访问主机,例如通过绑定安装卷,可以突破容器.同样,如果您的应用程序有权在容器文件系统上执行带有漏洞的系统库,那么将出现拒绝服务攻击.
针对这些风险,使用应用程序 runuser 可以保护,因为您的应用程序对主机的根文件系统没有权限.同样,您的应用程序也不会被滥用来调用容器文件系统上的系统库,甚至不会在主机内核上执行系统调用.
但是,如果有人使用 exec 附加到您的容器,则他将成为根用户,因为容器的主进程属于根用户.对于具有详尽访问权限概念(例如Kubernetes)的系统,这可能会成为一个问题.在这里,某些用户组可能被授予群集的只读视图,包括执行到容器中的权限.然后,作为根用户,他们将拥有比必要更多的权限,包括主机上的可能权限.
最后,对于您的方法,我没有强烈的安全担忧,因为它可以通过以非root用户身份运行应用程序来降低通过应用程序漏洞进行攻击的风险.您以root身份运行到容器主进程这一事实,我认为这是一个次要的缺点,它只会在利基访问控制设置中产生问题,在这些访问控制设置中,不完全受信任的主题只能以只读方式访问您的系统.
Is it considered a secure practice to run root privileged ENTRYPOINT ["/bin/sh", entrypoint.sh"], that later switches to non-root user before running the application?
More context:
There are a number of articles (1, 2, 3) suggesting that running the container as non-root user is a best practice in terms of security. This can be achieved using the USER appuser command, however there are cases (4, 5) when running the container as root and only switching to non-root in the an entrypoint.sh script is the only way to go around, eg:
#!/bin/sh
chown -R appuser:appgroup /path/to/volume
exec runuser -u appuser "$@"
and in Dockerfile:
COPY entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/bin/sh", "entrypoint.sh"]
CMD ["/usr/bin/myapp"]
When calling docker top container I can see two processes, one root and one non-root
PID USER TIME COMMAND
5004 root 0:00 runuser -u appuser /usr/bin/myapp
5043 1000 0:02 /usr/bin/myapp
Does it mean my container is running with a vulnerability given that root process, or is it considered secure?
I found little discussion on the subject (6, 7) and none seem definitive. I've looked for similar questions on StackOverflow but couldn't find anything related (8, 9, 10) that would address the security.
I just looked through what relevant literature (Adrian Mouat's Docker, Liz Rice's Container Security) has to say on the topic and added my own thoughts to it:
The main intention behind the much cited best practice to run containers as non-root is to avoid container breakouts via vulnerabilities in the application code. Naturally, if your application runs as root and then your container has access to the host, e.g. via a bind mount volume, a container breakout is possible. Likewise, if your application has rights to execute system libraries with vulnerabilities on your container file system, a denial of service attack looms.
Against these risks you are protected with your approach of using runuser, since your application would not have rights on the host's root file system. Similarly, your application could not be abused to call system libraries on the container file system or even execute system calls on the host kernel.
However, if somebody attaches to your container with exec, he would be root, since the container main process belongs to root. This might become an issue on systems with elaborate access right concepts like Kubernetes. Here, certain user groups might be granted a read-only view of the cluster including the right to exec into containers. Then, as root, they will have more rights than necessary, including possible rights on the host.
In conclusion, I don't have strong security concerns regarding your approach, since it mitigates the risk of attacks via application vulnerabilities by running the application as non-root. The fact that you run to container main process as root, I see as a minor disadvantage that only creates problems in niche access control setups, where not fully trusted subjects get read-only access to your system.
这篇关于Docker-在ENTRYPOINT中切换到非root用户安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
