You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This repository recommends making /etc/passwd group writable so that the uid_entrypoint script can add a user. At the very least, the uid_entrypoint script should end by removing the group write bit on the file, otherwise it could be written again to allow privilege escalation with su.
However, creating an image with a writeable /etc/passwd and relying on the entrypoint script to secure it means that any user who overrides the entrypoint in a container would lose that protection. Users do not generally expect that overriding an entrypoint will leave their container less secure. Therefore, while I believe this would be an improvement over the status quo, it is still flawed.
In general I am concerned that running as GID 0 may create similar unexpected vulnerabilities in cases where authors of other files on the system may have left them group-writable under GID 0 while not expecting a non-root user to be running with GID 0.
The text was updated successfully, but these errors were encountered:
This repository recommends making /etc/passwd group writable so that the uid_entrypoint script can add a user. At the very least, the uid_entrypoint script should end by removing the group write bit on the file, otherwise it could be written again to allow privilege escalation with su.
However, creating an image with a writeable /etc/passwd and relying on the entrypoint script to secure it means that any user who overrides the entrypoint in a container would lose that protection. Users do not generally expect that overriding an entrypoint will leave their container less secure. Therefore, while I believe this would be an improvement over the status quo, it is still flawed.
In general I am concerned that running as GID 0 may create similar unexpected vulnerabilities in cases where authors of other files on the system may have left them group-writable under GID 0 while not expecting a non-root user to be running with GID 0.
The text was updated successfully, but these errors were encountered: