-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for arbitrary user #369
base: master
Are you sure you want to change the base?
Support for arbitrary user #369
Conversation
hi, are there any issue that block this pr? |
TL;DR:
Queries:
Does OpenShift not have the equivalent of rootless that both Podman and Docker offer? That leverages user namespaces with the host Can you reference other popular official images that have adopted this practice you're proposing here? It seems the bulk of the $ podman run --rm -it caddy ash
$ apk add eza
# This is just a fancier `ls -l` command:
$ eza -lanhog --tree --no-time --no-filesize \
/config /data /etc/caddy /usr/share/caddy /usr/bin/caddy
Octal Permissions User Group Name
0755 drwxr-xr-x@ 0 0 /etc/caddy
0644 .rw-r--r--@ 0 0 └── Caddyfile
0755 drwxr-xr-x@ 0 0 /usr/share/caddy
0644 .rw-r--r--@ 0 0 └── index.html
0755 .rwxr-xr-x@ 1001 127 /usr/bin/caddy
0755 drwxr-xr-x@ 0 0 /config
0755 drwxr-xr-x@ 0 0 └── caddy
0755 drwxr-xr-x@ 0 0 /data
0755 drwxr-xr-x@ 0 0 └── caddy Colour screenshot if it is easier to read: So only Line 35 in eb4bf9a
With either of these approaches: # Extracts to stdout and writes output to /usr/bin/caddy, with default ownership and permissions:
# NOTE: Must restore executable bit with chmod
tar -xzO -f /tmp/caddy.tar.gz caddy > /usr/bin/caddy && chmod +x /usr/bin/caddy; \
# Alternatively, adjust ownership directly after (retains other file metadata from archive):
tar -xz -f /tmp/caddy.tar.gz -C /usr/bin caddy && chown 0:0 /usr/bin/caddy; \ That leaves your change to copy the user permissions into group permissions which can be done with a single line: chmod -R g=u /config /data /etc/caddy /usr/share/caddy /usr/bin/caddy Any bind mount volumes to these locations would need to ensure they have the equivalent root group ownership with write permissions. Assigning SGID ( Although depending on what you're doing I don't think all these locations need write permission granted? Why would
Are you referring to capabilities? You could drop those with Typically to exploit a vulnerability for the container root user to wreck havoc on the host as root it requires actively reducing security on the container (granting more capabilities/privilege, access to the docker socket or equivalent, etc). This doesn't necessarily require the container user to be root to gain access to root on the host either. |
By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node.
For an image to support running as an arbitrary user, directories and files that may be written to by processes in the image should be owned by the root group and be read/writable by that group. Files to be executed should also have group execute permissions.
Because the container user is always a member of the root group, the container user can read and write these files. The root group does not have any special permissions (unlike the root user) so there are no security concerns with this arrangement.
(https://docs.redhat.com/en/documentation/openshift_container_platform/3.10/html/creating_images/creating-images-guidelines#openshift-specific-guidelines)
This pull request adds support for running Caddy as an arbitrary user: