Security issue: node is run as root

Question

Security issue: node is run as root

mtparet opened this issue 10 years ago · 19 comments

In case of security flaw in the application run and in docker.
cf:
http://blog.zeltser.com/post/104976675349/security-risks-and-benefits-of-docker-application
http://thenewstack.io/docker-addresses-more-security-issues-and-outlines-plugin-approach/
http://www.slideshare.net/jpetazzo/docker-linux-containers-lxc-and-security
https://blog.xenproject.org/2014/06/23/the-docker-exploit-and-the-security-of-containers/

Answer 1 · 2015-01-28T18:35:06.000Z

Thanks, we'll look at ways to address this in a future release.

Answer 2 · 2015-01-28T18:37:35.000Z

If you come up with a good way to actually solve this nicely at the language stack level, please share so we can make sure all the stacks get updated. We've been trying to think through this problem for a while, and there's not really an easy "works for everyone" way to do this without knowing the specifics of the application being Dockerized (in our experience).

TL;DR this might be more of a docs problem (ie, update the documentation to show best practices for running your application as non-root)

Answer 3 · 2015-01-28T19:02:32.000Z

Sure :)

For now though, you are right, it really is a docs problem

Answer 4 · 2015-01-28T21:05:22.000Z

Thanks for answers.

Answer 5 · 2015-01-29T17:13:04.000Z

Closing this out, since it's more of a Docs/best practice issue at this point.

Answer 6 · 2015-02-07T23:45:42.000Z

since it's more of a Docs/best practice
I disagree it should be a default behavior.
It's a bad practice of running software as root although they do not need root rights.

Answer 7 · 2015-02-09T14:45:05.000Z

What about needing to bind to port 80 or other similar scenarios?

Answer 8 · 2015-02-09T15:40:26.000Z

As Docker can handle binding container port to host port, it should not be an issue ? (We should be able to bind the 8080 port on the container to the 80 port on the host)

Answer 9 · 2015-02-09T16:28:15.000Z

True, but I guess that means possibly breaking things for anyone using the current image, right?

Answer 10 · 2015-02-09T16:37:07.000Z

Yes this will be a breaking change...

Answer 11 · 2015-02-10T17:27:56.000Z

Isn't the port to bind on specified in the application itself?

Answer 12 · 2015-02-10T18:48:10.000Z

"Isn't the port to bind on specified in the application itself?"
What do you mean ?
Yes the application itself inside the container will specified its port but we should be able to bind it to any port on the host when running the container (with the option -p), no ?

Answer 13 · 2015-02-10T19:52:46.000Z

Right, but what I mean is that the application source code itself specifies the port that it wants to bind to by default (be it 8080, 9000, 80, etc). This is why our original "onbuild" variant didn't include an "EXPOSE" instruction -- we can't really know which port the image user's application is going to be listening on ahead of time in a simple, generic way.

Answer 14 · 2015-02-10T23:32:10.000Z

Yes of course. It's fine to let the application binding the port it wants to.
But this does not imply giving root right to this one by default as it should not be needed for a web server. (If they need to bind the port 80, they should change this or if not possible use possible workaground http://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-1024-on-l#414258)

Answer 15 · 2015-02-15T23:53:34.000Z

Docker's official stance on this seems clear to me:

If a service can run without privileges, use USER to change to a non-root user.

We're not in compliance. If someone wants to run the Node process as root (e.g., to bind to port 80), then the burden should be on them to write a custom Dockerfile.

Answer 16 · 2015-02-16T03:50:28.000Z

This isn't the Dockerfile for a "service", but a base Dockerfile for services, some of which may be able to run as root and some of which won't.

I personally the consider the part after what @NodeGuy quoted just as important in determining whether a Docker image should use USER:

Note: Users and groups in an image get a non-deterministic UID/GID in that the “next” UID/GID gets assigned regardless of image rebuilds. So, if it’s critical, you should assign an explicit UID/GID.

For a base image like node where you have no idea what people will or will not want to mount into their container as volumes, you're going to frequently run into user support issues where your "node" user (or whatever the in-container user would be called) either doesn't have access to files that someone has bind-mounted into the container at all or doesn't have the appropriate UID for being able to write files to the mount. Debugging this in the presence of things like boot2docker mounts using VirtualBox shared folders gets even harder to explain.

Just my two cents on why changing to USER node isn't necessarily cut and dry.

Answer 17 · 2015-02-16T08:51:59.000Z

I agree with your point @md5 but currently most of the application using the base image as run as root although there are no need. https://github.com/search?utf8=%E2%9C%93&q=FROM+node%3A0.10-onbuild&type=Code&ref=searchresults
So if we can't make it a default it should be very clear in the documentation...

Answer 18 · 2015-05-21T21:32:03.000Z

Agree that doing the right thing by default would be really nice.

Answer 19 · 2016-03-16T21:30:30.000Z

Documentation landed in #122