fabric icon indicating copy to clipboard operation
fabric copied to clipboard
verified publisher icon hyperledger

Dockerfile doesn't specify USER

Open SbruiceS opened this issue 1 year ago • 2 comments

Description

By not specifying a USER, a program in the container may run as root. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than root.

images/orderer/Dockerfile:73 {CMD [ "orderer", "start" ]}

images/peer/Dockerfile:77

{VOLUME /etc/hyperledger/fabric VOLUME /var/hyperledger

EXPOSE 7051

CMD [ "peer", "node", "start" ]}

References

https://owasp.org/Top10/A04_2021-Insecure_Design

Steps to reproduce

No response

SbruiceS avatar Dec 10 '24 03:12 SbruiceS

Thanks for the issue, you are correct, for production deployments a non-root USER is indeed recommended.

The Docker image built in this repository and the associated usage in fabric-samples repository are for education and test purposes only as mentioned at https://github.com/hyperledger/fabric/tree/main/images/peer. root is utilized for simplicity in the samples to interact with the Docker daemon when building and starting chaincodes.

Production deployments should specify a USER and are encouraged to use a chaincode build and run approach appropriate for the production environment (e.g. Kubernetes based), see https://hyperledger-fabric.readthedocs.io/en/latest/cc_launcher.html.

We can utilize this issue to make the recommendation more clear, I'll update the title and remove the bug label accordingly.

denyeart avatar Dec 23 '24 03:12 denyeart

Hi @denyeart, has this issue been fixed? do you mind if I take it up?

neyedhayo avatar Apr 14 '25 15:04 neyedhayo