-
-
Notifications
You must be signed in to change notification settings - Fork 767
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run container as an unprivileged user #679
Comments
Hi, @damienfern I'm also interested in this question! For now I'm using the following edits to run FrankenPHP as the built-in user frankenphp/docker-entrypoint.sh@@ -53,8 +53,9 @@
fi
fi
- setfacl -R -m u:www-data:rwX -m u:"$(whoami)":rwX var
- setfacl -dR -m u:www-data:rwX -m u:"$(whoami)":rwX var
+ chgrp -R www-data var /data /config
+ setfacl -R -m u:www-data:rwX -m u:"$(whoami)":rwX var /data /config
+ setfacl -dR -m u:www-data:rwX -m u:"$(whoami)":rwX var /data /config
fi
-exec docker-php-entrypoint "$@"
+su -c "docker-php-entrypoint $*" -s '/bin/sh' 'www-data' With this edit the container still runs as I'm not sure if this is the correct way, but in my case it works so far. I would also be glad if this template contained information about a more correct way to run the container not as an privileged user. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
Thx for this template, very useful ! 🙏
Many resources suggest using an unprivileged user in container in order to prevent privilege escalation attacks(e.g. OWASP https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user or Docker docs https://docs.docker.com/build/building/best-practices/#user).
It seems it's not the case on this template with FrankenPHP and based on its doc, FrankenPHP can be used with an unprivileged user. Is it on purpose, or is it a feature that can be added to this template ?
The text was updated successfully, but these errors were encountered: