![]() ![]() A running piece of software is called a process. What is the problem with running containers as root?Ĭontainers are a way to package and run software. But if the root user starts the same software, the software has the root user’s super powers. If it tries to read files it does not explicitly have permissions to, it will fail. So if a normal (“non-privileged”) user starts a piece of software, it will be limited in what it can do. Software started by a user has the same permissions as the user that started it. So the root user can read all files, install new software, open any network connection it wants… you name it. This user is special in Linux systems, because it has all permissions needed to administer a system. Running a container as root means that the software packaged in a container is set to start as the root, or system administrator, user. Because very little actually needs all of them. And what to do if you have specialized software that for some reason still needs some root-like capabilities. In the remainder of this article, we show how to stop running containers as root. It’s a security nightmare, and you can read why in the next section. The latest such bug is CVE-2022-0492 ( Palo Alto Network’s writeup here), but we also had CVE-2022-0185 ( Aqua Security’s writeup here) earlier this year. ![]() ![]() Hackers find new ways of escaping out of the container, and that grants unfettered access to the host or Kubernetes node. Running containers as root is a bad idea for security. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |