security in docker : use an applicative user instead of root to run vuls server #1077

tramora posted onGitHub

Hi, Currently (in version 0.12.3 at least) the process runs under root :

    1 root      0:00 vuls server -listen 0.0.0.0:5515 -format-json -debug -debug-sql -cvedb-type=http -cvedb-url=http://vuls-go-cve-dictionary:1323 -ovaldb-type=http -ovaldb-url=http://vuls-goval-dictionary:1324

It seems better to create and use an applicative user instead.

Pull Request welcome 👍

posted by kotakanbe over 4 years ago

Hi @tramora, I was able to make it run while using Docker in Rootless mode. I'll add the required documentation soon.

posted by Jiab77 over 4 years ago

thanx for your comments @kotakanbe & @Jiab77. Indeed, the users can use that kind of workarounds even in kubernetes.

# in the deployment yaml
securityContext:
              runAsNonRoot: true
              runAsUser: 27740
              runAsGroup: 27740
              allowPrivilegeEscalation: true

That's why this "issue" seems very low priority even if it should be simple to fix

In dockerfile

RUN apk add sudo && \
        adduser app_user -D --shell /sbin/nologin

and in the entrypoint call

/sbin/sudo --user=app_user vuls

posted by tramora over 4 years ago

Fund this Issue

$0.00

Funded

Only logged in users can fund an issue

Pull requests

Do you want to work on this issue?

security in docker : use an applicative user instead of root to run vuls server #1077

Company

Community

Support

Connect