Feature request: Option for uid about dnscrypt-proxy-docker HOT 7 CLOSED

Seems to be standard in debian and alpine, which is probably enough for now.

$ docker run --rm alpine id nobody
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)

$ docker run --rm debian id nobody
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)

I like this plan. I'll make the change over the weekend and likely push it to my other images as well. Thanks for the ideas!

from dnscrypt-proxy-docker.

I'm with you on that request, and glad you're enjoying the container!

All images I've seen with that functionality run a custom bash script on startup to create the user, set the id and permissions, etc. I assume you need this for permission mapping from the host to the container volume?

However, this image was intentionally designed without a user shell or any busybox binaries that would allow running scripts. From a security perspective, this keeps the image small and reduces the attack surface significantly. In fact, you can't even exec into the container because /bin/sh doesn't exist.

What I CAN do, is add 2 build arguments (--build-arg PUID=1001 --build-arg PGID=1001) to the Dockerfile allow specifying a custom uid and gid when building the image locally. This way you can check out the source Dockerfile and build it with whichever id you need. Would that be of any interest to you?

from dnscrypt-proxy-docker.

My apologies, I incorrectly assumed setting the USER with an environment variable in docker-compose was possible. I have no opposition to build arguments but I probably won't use them.

I was looking into how linuxserver.io does it and, yeah, they really layer their images to get that functionality. Here's their alpine image. It might be possible to use this image and install go as a base image but I understand if that's not what you'd consider light weight.

Another option would to leave UID as root and expect users to configure option user_name in the dnscrypt-proxy.toml to drop permissions.

from dnscrypt-proxy-docker.

Another option is to use UID/GID 65534 (nobody/nogroup) instead of 1001.

from dnscrypt-proxy-docker.

Yeah, I looked at linuxserver.io for examples too. I use their images regularly for other projects, but I'm trying to build images from scratch as must as possible, especially where DNS is concerned. More of a personal goal as much as it is about security.

I could change the image to run as root, but that again reduces security.
Also I think the user has to exist in the /etc/passwd file before the daemon can switch to the user.

I do like the idea of using 65534 for the uid and gid. I think I tested that briefly and could switch to it in a future release. Do you know if that is standard for most distributions?

from dnscrypt-proxy-docker.

Agreed. Just throwing ideas out there. Leaving it as root and expecting the user to set user_name fallback isn't best practice.

65534 is commonly nobody but on Arch it appears to be 99. Here's some history on nobody. I think it would be preferred over 1001 or any UID that could conflict with a host user.

from dnscrypt-proxy-docker.

Can we close this issue?

from dnscrypt-proxy-docker.