-
-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEAT] Allow running containers as non-root #373
Comments
Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid. |
Thanks for your comments, but we are not in agreement about good/bad security practices in this instance. We are not planning on dropping s6 or supporting rootless in the near future. |
@aptalca I'm honestly curious as to why you don't consider this a security issue. I thought this was a common security practice for containers to reduce the surface attack area of a rogue service that could exploit vulnerabilities in the runtime to get full access to the host as root. |
It does not outweigh the benefits. |
@Roxedus In this case the benefit being S6? Why is a process supervisor necessary for a single process like Plex? Running services as root has always been a bad practice, even inside single app VMs. Why are we comfortable doing this on a shared kernel? Edit: just saw that S6 drops the process privileges. I thought the processes were running as root too. Thanks. |
We've had this discussion plenty of times on various platforms. No desire to argue about vague blanket statements like "rootful container is a bad security practice", etc. Feel free to go through the source and if you find any actual vulnerabilities, you can let us know: https://github.com/linuxserver/.github/blob/main/SECURITY.md |
The s6-overlay README says: |
It does not. We aren't using 3.2 and likely won't look at it until at least the first point release. After that point we may look at non-root operation but it would require a number of changes to individual containers and not all are going to be viable even in a best-case scenario. |
OK. If/when you need any testers for the plex container with version 3.2 of s6-overlay, I'm more than happy to volunteer. |
Is this a new feature request?
Wanted change
Allow running docker images as non-root.
Reason for change
Security. This is a very important docker container security practice. Right now containers are running as root and capabilities can't be dropped. Is using S6 really a reason to go against basic security practices?
Proposed code change
Stop using dependencies that force bad security practices, specifically S6.
The text was updated successfully, but these errors were encountered: