nodejs-docker-best-practices
nodejs-docker-best-practices copied to clipboard
snyk-labs
serving writable js files
hello there! thanks for the article it's very useful but there's one thing that bugs me though: in Don’t run containers as root part you insist on serving files that are writable by node user. the very same that's used for serving js scripts to public.
> cat Dockerfile
FROM node:lts-alpine@sha256:b2da3316acdc2bec442190a1fe10dc094e7ba4121d029cb32075ff59bb27390a
RUN apk add dumb-init
ENV NODE_ENV production
WORKDIR /usr/src/app
COPY --chown=node:node . .
RUN whoami
RUN npm ci --only=production
USER node
CMD ["dumb-init", "node", "server.js"]
> docker run -ti $(basename $(pwd)):$(git rev-parse --short HEAD) ls -la
total 60
drwxr-xr-x 1 root root 4096 Dec 22 12:19 .
drwxr-xr-x 1 root root 4096 Dec 22 12:19 ..
-rw-r--r-- 1 node node 16 Dec 22 07:55 .npmrc
-rw-r--r-- 1 node node 11357 Dec 22 07:55 LICENSE
-rw-r--r-- 1 node node 462 Dec 22 07:55 README.md
drwxr-xr-x 49 root root 4096 Dec 22 12:19 node_modules
-rw-r--r-- 1 node node 14489 Dec 22 07:55 package-lock.json
-rw-r--r-- 1 node node 363 Dec 22 07:55 package.json
-rw-r--r-- 1 node node 1051 Dec 22 07:55 server.js
> docker exec -ti nodejs-docker-best-practices ps aux
PID USER TIME COMMAND
1 node 0:00 dumb-init node server.js
8 node 0:00 node server.js
15 node 0:00 ps aux
I see it like this:
if you've been hacked (because of webserver or nodejs itself or whatever reason) hacker as user node can write anything at all into server.js (or any other node_modules file for that matter because further in the article you chown node_modules as well) and we get ourselves site that used to mine crypto on our visitor's computers. See https://blog.sucuri.net/2017/09/hacked-websites-mine-crypocurrencies.html for example.
So could you please elaborate the rationale behind
COPY --chown=node:node . .
If a hacker has gotten as far as being able to get into your network and run random docker exec commands, you've got larger security holes to worry about than Nodejs applications
