Skip to content

container user 10001 is group root.  #662

New issue
New issue
Closed
#738
Closed
container user 10001 is group root. #662
#738
Labels
area:securitySecurity and integrity issuesartifact:docker
@0x6f677548

Description

@0x6f677548
0x6f677548
opened on Sep 16, 2024

(originally reported at open-telemetry/opentelemetry-collector-contrib#35179)

All distributions are running the container as user 10001, but no group was assigned, meaning that this user will be assigned root group.

Actual config:

ARG USER_UID=10001
USER ${USER_UID}:${USER_GID}

My suggestion of fix:

ARG USER_UID=10001
ARG USER_GID=10001
USER ${USER_UID}:${USER_GID}

As pointed by @rogercoll, based on dockerfile documentation:

When the user doesn't have a primary group then the image (or the next instructions) will be run with the root group.

security best-practices:

Consider an explicit UID/GID.
Users and groups in an image are assigned a non-deterministic UID/GID in that the "next" UID/GID is assigned regardless of image rebuilds. So, if it’s critical, you should assign an explicit UID/GID.

This can be reproduced by shelling "id" on a modified image:


~ $ id
uid=10001 gid=0 groups=0

Modified docker image to include a shell and "id":

FROM alpine:latest AS builder

# Install a statically linked shell and the necessary binaries
RUN apk add --no-cache busybox-static
RUN apk add --no-cache coreutils acl attr

FROM otel/opentelemetry-collector-contrib:latest AS prep

FROM scratch

# Copy the shell executable from the builder stage
COPY --from=builder /bin/busybox.static /bin/sh
# Copy id binary from the builder stage
COPY --from=builder /usr/bin/id /bin/id

# Copy required shared libraries
COPY --from=builder /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1
COPY --from=builder /lib/libc.musl-x86_64.so.1 /lib/libc.musl-x86_64.so.1
COPY --from=builder /lib/libcrypto.so.3 /lib/
COPY --from=builder /lib/libacl.so.1 /lib/
COPY --from=builder /lib/libattr.so.1 /lib/
COPY --from=builder /lib/libutmps.so.0.1 /lib/
COPY --from=builder /lib/libskarnet.so.2.14 /lib/
COPY --from=builder /lib/libutmps.so.0.1 /lib/

COPY --from=prep /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY --from=prep otelcol-contrib /otelcol-contrib

ARG USER_UID=10001
USER ${USER_UID}



# copy the config file to the /etc folder
COPY otel_collector.config.yaml /etc/otel_collector.config.yaml

EXPOSE 4317 55680 55679
ENTRYPOINT ["/otelcol-contrib"]
CMD ["--config", "/etc/otel_collector.config.yaml"]

Let me know if I can help somehow.

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:securitySecurity and integrity issuesartifact:docker

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions