gosu carries many CVE and appears unused

Question

gosu carries many CVE and appears unused

jrwren opened this issue 5 months ago · 5 comments

Would you be open to a patch which removes the unused gosu?

Answer 1 · 2024-05-29T16:48:37.000Z

gosu is not actually vulnerable to any of those CVEs: https://github.com/tianon/gosu/blob/a1f38cab3a132e996dc4972605ec91e8650d4859/SECURITY.md
No, it cannot be removed since it is used in the entrypoint to step down from root when running Redis
https://github.com/docker-library/redis/blob/7487c7847c77730da6eea7cd5cfbd235eb2b6628/docker-entrypoint.sh#L11-L14

Answer 2 · 2024-05-30T00:33:59.000Z

I realize it isn't a real vulnerability, but it shows as a HIGH score CVE in scan tools. Millions of man hours at workplaces all around the world have been wasted at trying to document around these false positive vulnerability scans. The gosu author refuses to make a release. An alternative is to remove gosu. Is there a reason su from util-linux or busybox can't be used instead?

Answer 3 · 2024-06-03T20:31:43.000Z

Can we use su-exec to achieve the similar result?

https://gist.github.com/StevenACoffman/41fee08e8782b411a4a26b9700ad7af5

Answer 4 · 2024-06-03T20:38:09.000Z

There's an outstanding parser bug in su-exec that means it falls back to silently running as root if you typo the username that's been fixed for five years but there hasn't been a new release in all that time. I sure wouldn't recommend it (and certainly wouldn't approve any new PRs adding it).

Answer 5 · 2024-06-03T20:45:41.000Z

Can runuser (as suggested in the su man page) work?

Aren't these equivalent?

exec gosu redis "$0" "$@"

and

exec runuser  -u redis -- "$0" "$@"

edit: ugh, never mind. Now I see runuser is from util-linux, but alpine/busybox do not have an equivalent.

edit2: maybe apk add runuser?

even with all of the deps it is still smaller (1416kb) than gosu (2250kb)

update: never mind. The semantics of runuser are not the same as gosu and rather than exec it does fork and exec.