Comments (7)
Seems to be standard in debian and alpine, which is probably enough for now.
$ docker run --rm alpine id nobody
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
$ docker run --rm debian id nobody
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
I like this plan. I'll make the change over the weekend and likely push it to my other images as well. Thanks for the ideas!
from dnscrypt-proxy-docker.
I'm with you on that request, and glad you're enjoying the container!
All images I've seen with that functionality run a custom bash script on startup to create the user, set the id and permissions, etc. I assume you need this for permission mapping from the host to the container volume?
However, this image was intentionally designed without a user shell or any busybox binaries that would allow running scripts. From a security perspective, this keeps the image small and reduces the attack surface significantly. In fact, you can't even exec into the container because /bin/sh doesn't exist.
What I CAN do, is add 2 build arguments (--build-arg PUID=1001 --build-arg PGID=1001
) to the Dockerfile allow specifying a custom uid and gid when building the image locally. This way you can check out the source Dockerfile and build it with whichever id you need. Would that be of any interest to you?
from dnscrypt-proxy-docker.
My apologies, I incorrectly assumed setting the USER
with an environment variable in docker-compose
was possible. I have no opposition to build arguments but I probably won't use them.
I was looking into how linuxserver.io
does it and, yeah, they really layer their images to get that functionality. Here's their alpine image. It might be possible to use this image and install go as a base image but I understand if that's not what you'd consider light weight.
Another option would to leave UID as root
and expect users to configure option user_name
in the dnscrypt-proxy.toml
to drop permissions.
from dnscrypt-proxy-docker.
Another option is to use UID/GID 65534
(nobody/nogroup) instead of 1001
.
from dnscrypt-proxy-docker.
Yeah, I looked at linuxserver.io for examples too. I use their images regularly for other projects, but I'm trying to build images from scratch
as must as possible, especially where DNS is concerned. More of a personal goal as much as it is about security.
I could change the image to run as root, but that again reduces security.
Also I think the user has to exist in the /etc/passwd
file before the daemon can switch to the user.
I do like the idea of using 65534
for the uid and gid. I think I tested that briefly and could switch to it in a future release. Do you know if that is standard for most distributions?
from dnscrypt-proxy-docker.
Agreed. Just throwing ideas out there. Leaving it as root and expecting the user to set user_name
fallback isn't best practice.
65534
is commonly nobody
but on Arch it appears to be 99
. Here's some history on nobody
. I think it would be preferred over 1001
or any UID that could conflict with a host user.
from dnscrypt-proxy-docker.
Can we close this issue?
from dnscrypt-proxy-docker.
Related Issues (20)
- Add `dig` binary to image to allow defining health probes HOT 11
- Reporting a vulnerability
- ACTION REQUIRED: Changes to pulling Chainguard Images
- Permission denied for public-resolvers.md and relays.md HOT 5
- Feature request: Support for timezone with tzdata HOT 3
- Question on the removed `HEALTHCHECK` HOT 2
- Anonymized DNSCrypt Support HOT 7
- [Question] How to setup to work alongside a Pi-hole container? HOT 10
- Is it possible that you add parameter for timezone? HOT 2
- logs HOT 2
- Unable to load the configuration file [/config/dnscrypt-proxy.toml] HOT 1
- 2.1.0 is released today HOT 1
- DNSCrypt Proxy No longer working after update to 2.1.0 HOT 2
- Problem getting oDoH to work HOT 2
- Configuration File Not Being Read
- "Latest" Image Restarting (132) Issue HOT 9
- Clarify proper permissions for config volume HOT 3
- Anonymized DNSCrypt doesn't work in WSL2 or Hyper-V on Windows HOT 12
- How nx and query logs can be checked? HOT 3
- Dependency Dashboard
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dnscrypt-proxy-docker.