Comments (6)
fwiw here's a snippet from a hardening script i use for $dayjob
containers:
sysdirs="
/bin
/etc
/lib
/sbin
/usr
"
# Remove world-writable permissions.
# This breaks apps that need to write to /tmp,
# such as ssh-agent.
find / -xdev -type d -perm +0002 -exec chmod o-w {} +
find / -xdev -type f -perm +0002 -exec chmod o-w {} +
# Ensure system dirs are owned by root and not writable by anybody else.
find $sysdirs -xdev -type d \
-exec chown root:root {} \; \
-exec chmod 0755 {} \;
from docker-alpine.
That's perfect, I'll throw that into our base image scripts, thanks!
from docker-alpine.
Those files are all symlinks to /bin/busybox
, which is only writable by root. The permissions on symlinks are always set to 0777 and ignored according to the symlink man page:
On Linux, the permissions of a symbolic link are not used in any
operations; the permissions are always 0777 (read, write, and execute
for all user categories), and can't be changed.
I don't see any non-symlink files in those directories that are world-writable, so it should all be secure without needing to change any permissions.
from docker-alpine.
Those files are all symlinks to /bin/busybox, which is only writable by root. The permissions on symlinks are always set to 0777 and ignored
correct.
I'll throw that into our base image scripts, thanks!
let me post a more-complete script in case it helps anybody.
critique is welcome.
it shows that we...
- install packages
- harden
sample dockerfile:
FROM alpine:3.2
RUN echo "http://dl-4.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
RUN apk add --update \
exim \
&& \
rm -f /var/cache/apk/*
VOLUME ["/var/log/exim"]
COPY . /
RUN /usr/sbin/harden.sh
USER mail
# http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_exim_command_line.html
ENTRYPOINT ["exim"]
CMD ["-bd", "-v", "-oP", "/dev/null", "-C", "/etc/mail/local.conf"]
harden.sh
#!/bin/sh
set -x
set -e
#
# Docker build calls this script to harden the image during build.
#
# NOTE: To build on CircleCI, you must take care to keep the `find`
# command out of the /proc filesystem to avoid errors like:
#
# find: /proc/tty/driver: Permission denied
# lxc-start: The container failed to start.
# lxc-start: Additional information can be obtained by \
# setting the --logfile and --logpriority options.
# Remove existing crontabs, if any.
rm -fr /var/spool/cron
rm -fr /etc/crontabs
rm -fr /etc/periodic
# Remove all but a handful of admin commands.
find /sbin /usr/sbin ! -type d \
-a ! -name exim \
-a ! -name nologin \
-delete
# Remove world-writable permissions.
# This breaks apps that need to write to /tmp,
# such as ssh-agent.
find / -xdev -type d -perm +0002 -exec chmod o-w {} +
find / -xdev -type f -perm +0002 -exec chmod o-w {} +
# Remove unnecessary user accounts, including root.
sed -i -r '/^(mail)/!d' /etc/group
sed -i -r '/^(mail)/!d' /etc/passwd
# Remove interactive login shell for everybody but user.
sed -i -r 's#^(.*):[^:]*$#\1:/sbin/nologin#' /etc/passwd
sysdirs="
/bin
/etc
/lib
/sbin
/usr
"
# Remove apk configs.
find $sysdirs -xdev -regex '.*apk.*' -exec rm -fr {} +
# Remove crufty...
# /etc/shadow-
# /etc/passwd-
# /etc/group-
find $sysdirs -xdev -type f -regex '.*-$' -exec rm -f {} +
# Ensure system dirs are owned by root and not writable by anybody else.
find $sysdirs -xdev -type d \
-exec chown root:root {} \; \
-exec chmod 0755 {} \;
# Remove suid bit from exim.
chmod u-s /usr/sbin/exim
# Remove all suid files.
find $sysdirs -xdev -type f -a -perm +4000 -delete
# Remove other programs that could be dangerous.
find $sysdirs -xdev \( \
-name hexdump -o \
-name chgrp -o \
-name chmod -o \
-name chown -o \
-name ln -o \
-name od -o \
-name strings -o \
-name su \
\) -delete
# Remove init scripts since we do not use them.
rm -fr /etc/init.d
rm -fr /lib/rc
rm -fr /etc/conf.d
rm -fr /etc/inittab
rm -fr /etc/runlevels
rm -fr /etc/rc.conf
# Remove kernel tunables since we do not need them.
rm -fr /etc/sysctl*
rm -fr /etc/modprobe.d
rm -fr /etc/modules
rm -fr /etc/mdev.conf
rm -fr /etc/acpi
# Remove root homedir since we do not need it.
rm -fr /root
# Remove fstab since we do not need it.
rm -f /etc/fstab
# Remove broken symlinks (because we removed the targets above).
find $sysdirs -xdev -type l -exec test ! -e {} \; -delete
from docker-alpine.
The script you posted is actually kind of close to what we already do but we don't do it out of hardening, we do it out of cleanliness because sometimes we do debug our apps in the containers so having a clean etc to ll
to find stuff that matters means a lot to us.
from docker-alpine.
...to find stuff that matters means a lot to us.
/me nods
from docker-alpine.
Related Issues (20)
- gliderlabs.com does not hav a valid DNS, so docker builds with thie base image fail HOT 2
- Require image for ARM64 architecture HOT 1
- Issue in minikube docker --> ERROR: http://nl.alpinelinux.org/alpine/v3.5/main: DNS lookup error HOT 1
- Time zone is really necessary?
- Issues with wget/apk in alpine:3.13.0 and up
- dl-cdn.alpinelinux.org was offline (12:18:56am Tuesday, 15 February 2022 gmt ~ 2:52:10am Tuesday, 15 February 2022) HOT 27
- Error 503 Backend is unhealthy HOT 12
- ERROR: unable to select packages: curl (no such package): required by: world[curl] Cleaning up file based variables HOT 1
- apk updates are failing 3.15,3.17 - ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.17/main: temporary error (try again later) HOT 1
- Package Manager Broken (apk update: temporary error) HOT 1
- Some guide for install docker alpine on android device HOT 1
- Issues accessing https://dl-cdn.alpinelinux.org HOT 3
- Build mono fail in docker alpine with Segmentation fault
- My
- Slow internet, bad signature errors
- ccccccjtgkneuknjkdtekjjnhnhhivnbehlhjcudfejr HOT 1
- Nslookup doesn't work in github actions HOT 2
- dcps
- alpine:latest can't use hostname to find a server.
- building docker compose in VM Ubuntu
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-alpine.