this post was submitted on 10 Nov 2023

25 points (96.3% liked)

Selfhosted

39484 readers

429 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

[email protected]

Does running applications inside a container as an unprivileged user have any security benefits? (feddit.de)

submitted 11 months ago by [email protected] to c/[email protected]

9 comments fedilink hide all child comments

I'm new to the container world. Does it have any security benefits when I run my applications as a non-root user in a docker container? And how about Podman? There I'll run the container as an unprivileged user anyway. Would changing the user in the container achieve anything?

all 12 comments

sorted by: hot top controversial new old

[–] [email protected] 22 points 11 months ago

tl;dr, yes, it does.

Containers are nothing like VMs, and containers in Linux are basically a combination of a feature called Cgroups, which allows to restrict the resources (like memory, etc.) available to a process or group of processes, and namespaces. Namespaces are a construct in which certain namespaced resources are separated from each other, and processes can only see those belonging to their namespace. A simple example is a mount namespace. When you launch a container, you see a / directory which is not the root directory of your system.

Now, the problem is, that not all the resources are namespaced, so there is still quite a lot that processes within containers can do interacting with the main system resources, especially if they are root.

A root process within a container generally can do lots of things that the actual root process can do outside of it. For example, mounting parts of the filesystem (if you run with --privileged), loading kernel modules, etc. Podman can run rootless, in the sense that it uses also User namespaces, meaning a user 0 (root) inside a container is actually mapped to something else outside, but also docker nowadays can do the same.

So yeah, in general, running the applications with the less amount of privileges is a good idea and you should do it whenever you can. Even if you do need some privileges, you should add only the Capabilities needed, not just go straight to root.

[–] [email protected] 4 points 11 months ago* (last edited 11 months ago) (1 children)

It means that if someone breaks out of your container, they can only do things that user can do.

Can that user access your private documents (are these documents in a container that also runs under that user)?

Can that user sudo?

Can that user access SSH keys and jump to other computers?

Generally speaking, the answer to all of these should be "no", meaning that each group of containers (or risk levels etc) get their own account.

[–] [email protected] 2 points 10 months ago

Process UIDs do the exact same thing.

[–] [email protected] 2 points 11 months ago (1 children)

Imagine your containers as very lightweight mini-VMs. Would you run everything as root in your virtual machines? Containers aren't really that different to classical VMs from an operations point of view. You have a different attack surface, but it is still there, and running as a non-root user inside the container reduces this attack surface, and should IMHO be the default. Privileged containers and users may be required for specific purposes, but should not be the norm, if possible.

[–] [email protected] 2 points 10 months ago

I have seen this post and decided to respond via a separate blog post. https://loudwhisper.me/blog/containers-isolation/

The short answer is that yes, they do. And yes lowering the privileges of the user helps in avoiding container escapes, which basically makes the other advantages for containers valid. You can, however, achieve the same using (relatively obscure, imho) systemd settings, running with flatpak etc. Namespaces + Cgroups + Seccomp + Capabilities = better security. Containers make it easy to use all of the above.

[+] [email protected] 1 points 11 months ago* (last edited 8 months ago) (1 children)

[deleted]

[–] [email protected] 10 points 11 months ago (1 children)

Not really true, containers are based on namespaces which have always been also a security feature. Chroot has been a common "system" technique, afterall.

Containers help security if built properly, and it's easier to build a container securely (and run them), compared to proper SystemD unit security.

[+] [email protected] -7 points 10 months ago* (last edited 8 months ago) (2 children)

[deleted]

[–] [email protected] 4 points 10 months ago* (last edited 10 months ago)

OK :)

So chroot has not been used to isolate processes for decades to a confined view of the filesystem (especially in combo with a restricted shell), and for example the networking namespace is not used to limit the impact on a compromise on the firewall, the user namespace is not used to allow privileged processes to run de-facto unprivileged.

Whatever you say

EDIT: Actually, if you are really convinced of what you are saying we can do the following experiment:

We spin up a VPS and run a web application with a RCE with a Systemd unit and run the same web app in a scratch container running under an unprivileged user

Then we can compare the kind of impact that using containers to wrap applications has on the security of the system. My guess, even with a full RCE you will not be able to escape the container.

Half-jokes aside, my stance is that isolation (namespacing and cgroups) allows to greatly reduce the attack surface and contain the blast radius of a compromise, which are security benefits. You can easily have a container with no shell, no binaries at all, no writable paths, read-only filesystem etc. You can do at least some of those things even in a regular Linux box of course, but it is much more uncommon, much harder, much less convenient (for example, no writeable /tmp is going to break a lot of stuff), much more error prone, etc.

Your stance i.e.:

running things inside of a container does not provide any security benefits as opposed to outside of the container

is way too absolute, imo.

[–] [email protected] 1 points 10 months ago

[citation needed]