Running our Docker Containers as ROOT could let a user gain root access on the host

[sameh-farouk]

Description

Running our Docker Container as ROOT could pose a security risk.

https://github.com/threefoldtech/js-sdk/blob/8d6b956acb528da0a28af10a772544bcdadb9718/jumpscale/install/Dockerfile

even with the container is isolated, it does not prevent the attacker from exploiting other services via the network.

Version information

• Project commit/version: js-sdk 8d6b956 11.0b4

Implementation

configuring our container to use unprivileged user is the best way to prevent privilege escalation attacks.
we can refer to this example for implementation:

Example:

FROM alpine
RUN groupadd -r myuser && useradd -r -g myuser myuser
"HERE DO WHAT YOU HAVE TO DO AS A ROOT USER LIKE INSTALLING PACKAGES ETC."
USER myuser
"THINGS DON'T REQUIRE ROOT"

Useful References

https://docs.docker.com/engine/reference/builder/#user
https://americanexpress.io/do-not-run-dockerized-applications-as-root/
https://engineering.bitnami.com/articles/why-non-root-containers-are-important-for-security.html
http://www.projectatomic.io/blog/2016/01/how-to-run-a-more-secure-non-root-user-container/