However, I can't identify anything in my personal activity that consumed that space. Curiously, restarting the computer will enable me to recover gigabytes of space (this past time, it was able to recover about 2.2GB). If you want to be in line with security best practices, you would then have to go back and revoke the user's excess permissions, and that would just be awful and error prone.Every few days I get notices on my MacBook that it's running or run out of hard drive space. This means that you should avoid creating or copying in any files, or installing any packages as that user too, since they would have complete control over any resources they create by default. That way, if there is a malicious process in your container, its behavior will be as restricted as possible. The general idea is that the user that runs the container should have an absolute minimum of permissions (most of the time the user doesn't need read, write, and execute access to a file). This will ensure that your application runs as a non-root user, and that user will only have access to what you explicitly gave it access to in previous steps. Immediately before your ENTRYPOINT or CMD directive, you then add a USER directive to switch to the newly created user. This is done through the use of chmod and chown commands. Then, explicitly create a user and grant that user the minimum level of access that they need to run the application. What you want to do is run all your installation and file download/copy steps as root (a lot of things need to be installed as root, and in general it's just a better practice for the reasons I outline below). This also makes it easier for a process to break out of the container and gain privileges on the host since there are no safeguards within the container itself. The general point is that if there is a malicious process in your container, it can do whatever it wants in the container, from installing packages, uploading data, hijacking resources, you name it, it can do it. Here is a really good article that goes in depth on the difference between the two, and this issue in general: While it's true that there is a difference between having root access to a container and root access on the host, root access on a container is still very powerful. While other people have pointed out that you shouldn't run images as root, there isn't much information here, or in the docs about why that is. Now we have a lot smaller attack surface. The user also becomes owner of /var/log/$SERVICE_NAME, assuming it will write to some files there. RUN addgroup -gid 1001 -S $SERVICE_NAME
0 Comments
Leave a Reply. |