docker-openwisp icon indicating copy to clipboard operation
docker-openwisp copied to clipboard

Published 20 hours ago verified publisher icon openwisp

[security] Ensure `--user` option does not make us less secure

Open atb00ker opened this issue 2 years ago • 3 comments

Now that we are using --user, I wonder,

We will have to copy /home/openwisp/.local/ in the next step, would have increase the size of the final image OR would we be carrying any useless install dependency or system package like gcc's residue that we don't need or want in the final image?

P.S: We specifically don't want gcc in the final image because it can potentially allow a malicious person to try to compile things, potentially making us vulnerable to a host of unknown exploits. (Just for your info, @codesankalp)

Originally posted by @atb00ker in https://github.com/openwisp/docker-openwisp/pull/213#discussion_r872974150

atb00ker avatar May 16 '22 19:05 atb00ker

@atb00ker I don't understand if this is a question or you found a specific problem which needs to be solved.

Can you please explain:

  • what problem do you see and why it's a problem
  • what do you think should be done instead and why it's better?

Are you talking about multi-stage build steps? Was any step messed by https://github.com/openwisp/docker-openwisp/pull/200 and if yes can you point out the lines which messed it up?

nemesifier avatar May 16 '22 19:05 nemesifier

It is a request for investigation.

  • what problem do you see and why it's a problem

Potential Problem: Using --user instead of installing in /install. Reason it's a potential problem: copying all the files from user install directory might cause us to copy more than we need or know about, causing a potential security problem.

  • what do you think should be done instead and why it's better?

What should be done: We should investigate what all is copied from the previous stage and make sure we know everything and want everything in the final image. (and preferably, no cache is copied either)

If investigation yields something undesirable exists in the final image, we should take steps to remove it, otherwise we are good to close it.

  • How will we do it?

A couple of things in my mind:

  1. Check the final image's (openwisp-base) /home/openwisp/.local/ directory.
  2. Check the intermediate image's /home/openwisp/.local/ directory.

Check files in another and manually go through them to make sure we need everything here.

atb00ker avatar May 21 '22 12:05 atb00ker

P.S: This issue does need a prior knowledge about what all is actually required to run openwisp and what all is just installation residue or other unimportant binaries.

I'll plan to take this issue soon! 😄

atb00ker avatar May 21 '22 12:05 atb00ker