[FEAT] Allow running containers as non-root

[AndresPineros]

Is this a new feature request?

• I have searched the existing issues

Wanted change

Allow running docker images as non-root.

Reason for change

Security. This is a very important docker container security practice. Right now containers are running as root and capabilities can't be dropped. Is using S6 really a reason to go against basic security practices?

Proposed code change

Stop using dependencies that force bad security practices, specifically S6.

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[aptalca]

Thanks for your comments, but we are not in agreement about good/bad security practices in this instance.

We are not planning on dropping s6 or supporting rootless in the near future.

[AndresPineros]

@aptalca I'm honestly curious as to why you don't consider this a security issue. I thought this was a common security practice for containers to reduce the surface attack area of a rogue service that could exploit vulnerabilities in the runtime to get full access to the host as root.

[Roxedus]

It does not outweigh the benefits.

[AndresPineros]

@Roxedus In this case the benefit being S6? Why is a process supervisor necessary for a single process like Plex? Running services as root has always been a bad practice, even inside single app VMs. Why are we comfortable doing this on a shared kernel?

Edit: just saw that S6 drops the process privileges. I thought the processes were running as root too. Thanks.

[aptalca]

We've had this discussion plenty of times on various platforms. No desire to argue about vague blanket statements like "rootful container is a bad security practice", etc.

Feel free to go through the source and if you find any actual vulnerabilities, you can let us know: https://github.com/linuxserver/.github/blob/main/SECURITY.md

[chetan-reddy]

The s6-overlay README says:
As of version 3.2.0.0, s6-overlay has limited support for running as a user other than root:
It seems to imply that for single application containers like this plex container, s6-overlay should be able to do its job even with the USER directive (or docker run --user).
3.2.0.0 was tagged 3 months ago, well after this ticket was closed, so I thought I'd ask if this new information changes your stance on OPs request?

[thespad]

It does not. We aren't using 3.2 and likely won't look at it until at least the first point release.

After that point we may look at non-root operation but it would require a number of changes to individual containers and not all are going to be viable even in a best-case scenario.

[chetan-reddy]

OK. If/when you need any testers for the plex container with version 3.2 of s6-overlay, I'm more than happy to volunteer.