Cisco-Talos
non-root / unprivileged docker image
Describe the bug
It's a nice practice for security reasons to have docker images use a non-root user.
For example, nginx publishes nginxinc/nginx-unprivileged (which uses the non-root user nginx) and nginx which uses root.
Ideally, the non-root / unprivileged Dockerfile may be as simple as:
FROM clamav/clamav:0.105.1
USER clamav
and those images would be published alongside the existing (root user using) images with a suffix, for example, there would be:
- latest
- latest-unprivileged
- 0.105.1
- 0.105.1-unprivileged etc
How to reproduce the problem
Run a docker image, for example, docker run -it --entrypoint /bin/sh clamav/clamav, and note that the user is root.
It would be nice if one could run docker run -it --entrypoint /bin/sh clamav/clamav:latest-unprivileged and see that a non-root user is used.
https://github.com/Cisco-Talos/clamav/pull/666 would be required for this issue
@candrews I believe this issue is a duplicate of https://github.com/Cisco-Talos/clamav/issues/478 Is that correct?
@candrews I believe this issue is a duplicate of #478 Is that correct?
I wasn't aware of #478, thank you for pointing it out. I've added a comment: https://github.com/Cisco-Talos/clamav/issues/478#issuecomment-1210049327
I think it's very important for both root and non-root images to be published, which I've stated in this issue, whereas the current description of #478 seems to indicate that only non-root images would be published going forward (which would be a major problem for me and IMHO a major break in backwards compatibility).
Closing this one to continue discussion in #478 and I will update the title and make a comment along those lines.