vuls icon indicating copy to clipboard operation
vuls copied to clipboard
verified publisher icon future-architect

security in docker : use an applicative user instead of root to run vuls server

Open tramora opened this issue 5 years ago • 3 comments

Hi, Currently (in version 0.12.3 at least) the process runs under root :

    1 root      0:00 vuls server -listen 0.0.0.0:5515 -format-json -debug -debug-sql -cvedb-type=http -cvedb-url=http://vuls-go-cve-dictionary:1323 -ovaldb-type=http -ovaldb-url=http://vuls-goval-dictionary:1324

It seems better to create and use an applicative user instead.

tramora avatar Nov 19 '20 11:11 tramora

Pull Request welcome 👍

kotakanbe avatar Nov 20 '20 08:11 kotakanbe

Hi @tramora, I was able to make it run while using Docker in Rootless mode. I'll add the required documentation soon.

Jiab77 avatar Dec 08 '20 17:12 Jiab77

thanx for your comments @kotakanbe & @Jiab77. Indeed, the users can use that kind of workarounds even in kubernetes.

# in the deployment yaml
securityContext:
              runAsNonRoot: true
              runAsUser: 27740
              runAsGroup: 27740
              allowPrivilegeEscalation: true

That's why this "issue" seems very low priority even if it should be simple to fix

In dockerfile

RUN apk add sudo && \
        adduser app_user -D --shell /sbin/nologin

and in the entrypoint call

/sbin/sudo --user=app_user vuls

tramora avatar Dec 11 '20 10:12 tramora