container-rhel-examples's People
Forkers
jcpowermac codificat fbladilo pchriste aojea xiangyuwang17 tchughesiv rflorenc pollyrobin coolpalani erbrito mohankrishnavanga stonezyg duudo fintecheando tarunaz wedrinklatte gnaponie emiyaubw rrgoncalves arilivigni mirekphd srichegondi debasisdash87 daskanu ecwpz91 alexpereiramaranhao mpwusr rapnagw o10222 zlanusic alaspedro rongiard hdao02 container-projects lordraven-001 030 albamoro jonathanatsnyk karmafeastcontainer-rhel-examples's Issues
update ose 3.5 repo references to 3.6
write code to simplify starter-arbitrary-uid?
starter-arbitrary-uid build/run
reference putpwent function from uid hook work?
https://github.com/tchughesiv/oci-uid-hook/blob/master/src/uidhook.c#L319
error for OpenShift deployments
container_linux.go:247: starting container process caused "exec: \"uid_entrypoint\": executable file not found in $PATH"
should $HOME equal $APP_ROOT
test w/ arb-uid template... maybe replace APP_ROOT w/ HOME?
remove help file references... no longer necessary for certification
add CentOS registry links to image readme's
https://github.com/CentOS/container-index/blob/master/index.d/container-examples.yml
e.g.
$ docker pull registry.centos.org/container-examples/starter-arbitrary-uid
Making /etc/passwd group writable allows privilege escalation
This repository recommends making /etc/passwd group writable so that the uid_entrypoint script can add a user. At the very least, the uid_entrypoint script should end by removing the group write bit on the file, otherwise it could be written again to allow privilege escalation with su.
However, creating an image with a writeable /etc/passwd and relying on the entrypoint script to secure it means that any user who overrides the entrypoint in a container would lose that protection. Users do not generally expect that overriding an entrypoint will leave their container less secure. Therefore, while I believe this would be an improvement over the status quo, it is still flawed.
In general I am concerned that running as GID 0 may create similar unexpected vulnerabilities in cases where authors of other files on the system may have left them group-writable under GID 0 while not expecting a non-root user to be running with GID 0.
Using nsswrapper is not now recommended method.
Using nsswrapper is no longer the recommended method. The preferred suggestion now is to make /etc/passwd
and /etc/group
writable and add entries from the ENTRYPOINT
script.
See section 'Support Arbitrary User IDs`` in:
For an actual example, which also includes updating /etc/group
which sometimes is also necessary but docs don't mention, see:
starter-apb stale
@jcpowermac do we update it? or remove and point folks at apb-examples if Q's arise? idk, might be nice to have a starter image that's more of a template... but its just changing so rapidly.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.