gosu carries many CVE and appears unused
jrwren opened this issue · 5 comments
Would you be open to a patch which removes the unused gosu?
gosu
is not actually vulnerable to any of those CVEs: https://github.com/tianon/gosu/blob/a1f38cab3a132e996dc4972605ec91e8650d4859/SECURITY.md- No, it cannot be removed since it is used in the entrypoint to step down from
root
when running Redis
https://github.com/docker-library/redis/blob/7487c7847c77730da6eea7cd5cfbd235eb2b6628/docker-entrypoint.sh#L11-L14
I realize it isn't a real vulnerability, but it shows as a HIGH score CVE in scan tools. Millions of man hours at workplaces all around the world have been wasted at trying to document around these false positive vulnerability scans. The gosu author refuses to make a release. An alternative is to remove gosu. Is there a reason su from util-linux or busybox can't be used instead?
Can we use su-exec to achieve the similar result?
https://gist.github.com/StevenACoffman/41fee08e8782b411a4a26b9700ad7af5
There's an outstanding parser bug in su-exec
that means it falls back to silently running as root
if you typo the username that's been fixed for five years but there hasn't been a new release in all that time. I sure wouldn't recommend it (and certainly wouldn't approve any new PRs adding it).
Can runuser
(as suggested in the su man page) work?
Aren't these equivalent?
exec gosu redis "$0" "$@"
and
exec runuser -u redis -- "$0" "$@"
edit: ugh, never mind. Now I see runuser is from util-linux, but alpine/busybox do not have an equivalent.
edit2: maybe apk add runuser
?
even with all of the deps it is still smaller (1416kb) than gosu (2250kb)
update: never mind. The semantics of runuser are not the same as gosu and rather than exec it does fork and exec.