As an Infra Devops Lead, I’m often reviewing Dockerfiles that are unnecessarily complex due to USER permissions. A never ending source of bugs and permission issues.
When trying to simplify them, the “security savvy” might claim that I’m not adhering to Principle of least privilege or Separation of duties by not dropping privileges and introducing a security risk of a container breakout.
My thinking is that Linux container should actually contain the process! Like BSD jails, jail.
When I voiced my opinion on Reddit about USER best practice, I was downvoted, and now my post sits at 4 points.
On twitter the conversation went in my favour:
I’m of the opinion that running root is fine. If you’re concerned about this type of escape then you should be running a microvm based approach, not assuming that non-root will help.— Darren Shepherd (@ibuildthecloud) March 22, 2023
And the conversation raised points:
- privileged != root, do not get confused
- if you are concerned about container breakout, linux microvm is what you should use
- if you are worried about root containers, do you operationally block them?
- if you are worried about root containers, do you operationally run them as a different UID?
To conclude we shouldn’t be pushing security theatre on application developers. The underlying system should be secure, like BSD!
Adding USER to your Dockerfile is not worth the trade off.