diff --git a/Dockerfile b/Dockerfile index d583ebc..fe17563 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,7 +14,7 @@ RUN chmod +x /tmp/dependencies.sh && \ COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts -COPY lua/ /opt/lua +COPY lua/ /usr/local/lib/lua COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && \ diff --git a/Dockerfile-amd64 b/Dockerfile-amd64 index 55ab5c5..4f3eb3d 100644 --- a/Dockerfile-amd64 +++ b/Dockerfile-amd64 @@ -14,7 +14,7 @@ RUN chmod +x /tmp/dependencies.sh && \ COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts -COPY lua/ /opt/lua +COPY lua/ /usr/local/lib/lua COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && \ diff --git a/Dockerfile-arm32v7 b/Dockerfile-arm32v7 index 0e14f2e..8cc9c3b 100644 --- a/Dockerfile-arm32v7 +++ b/Dockerfile-arm32v7 @@ -21,7 +21,7 @@ RUN chmod +x /tmp/dependencies.sh && \ COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts -COPY lua/ /opt/lua +COPY lua/ /usr/local/lib/lua COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && \ diff --git a/Dockerfile-arm64v8 b/Dockerfile-arm64v8 index d85ea17..7f62f5a 100644 --- a/Dockerfile-arm64v8 +++ b/Dockerfile-arm64v8 @@ -21,7 +21,7 @@ RUN chmod +x /tmp/dependencies.sh && \ COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts -COPY lua/ /opt/lua +COPY lua/ /usr/local/lib/lua COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && \ diff --git a/Dockerfile-i386 b/Dockerfile-i386 index 74d2055..28d5542 100644 --- a/Dockerfile-i386 +++ b/Dockerfile-i386 @@ -14,7 +14,7 @@ RUN chmod +x /tmp/dependencies.sh && \ COPY entrypoint/ /opt/entrypoint COPY confs/ /opt/confs COPY scripts/ /opt/scripts -COPY lua/ /opt/lua +COPY lua/ /usr/local/lib/lua COPY prepare.sh /tmp/prepare.sh RUN chmod +x /tmp/prepare.sh && \ diff --git a/docs/security_tuning.md b/docs/security_tuning.md index 90b640e..46cc237 100644 --- a/docs/security_tuning.md +++ b/docs/security_tuning.md @@ -220,6 +220,13 @@ By default, *bunkerized-nginx* runs as non-root user inside the container and sh docker run ... --drop-cap=all ... bunkerity/bunkerized-nginx ``` +### No new privileges +Bunkerized-nginx should never tries to gain additional privileges through setuid/setgid executables. You can safely add the **no-new-privileges** [security configuration](https://docs.docker.com/engine/reference/run/#security-configuration) when creating the container : + +```shell +docker run ... --security-opt no-new-privileges ... bunkerity/bunkerized-nginx +``` + ### User namespace remap Another hardening trick is [user namespace remapping](https://docs.docker.com/engine/security/userns-remap/) : it allows you to map the UID/GID of users inside a container to another UID/GID on the host. For example, you can map the user nginx with UID/GID 101 inside the container to a non-existent user with UID/GID 100101 on the host. @@ -235,3 +242,4 @@ $ chown root:100101 /path/to/letsencrypt $ chmod 770 /path/to/letsencrypt $ docker run ... -v /path/to/letsencrypt:/etc/letsencrypt ... bunkerity/bunkerized-nginx ``` + diff --git a/examples/hardened/docker-compose.yml b/examples/hardened/docker-compose.yml index fea338f..1daeaf2 100644 --- a/examples/hardened/docker-compose.yml +++ b/examples/hardened/docker-compose.yml @@ -7,11 +7,9 @@ services: # dropping all capabilities cap_drop: - ALL - # root fs as RO - read_only: true - # mandatory directories as RW - tmpfs: - - /tmp:mode=770,uid=0,gid=101 + # disable setuid/setgid + security_opt: + - no-new-privileges restart: always ports: - 80:8080 diff --git a/prepare.sh b/prepare.sh index d2ed7d7..f3e960c 100644 --- a/prepare.sh +++ b/prepare.sh @@ -1,8 +1,5 @@ #!/bin/sh -# custom entrypoint -mkdir /opt/entrypoint.d - # prepare /www mkdir /www chown -R root:nginx /www @@ -55,7 +52,6 @@ chmod 770 /var/lib/letsencrypt # prepare /usr/local/lib/lua chown -R root:nginx /usr/local/lib/lua chmod 770 /usr/local/lib/lua -find /usr/local/lib/lua -type f -name "*.conf" -exec chmod 0760 {} \; find /usr/local/lib/lua -type f -name "*.lua" -exec chmod 0760 {} \; find /usr/local/lib/lua -type d -exec chmod 0770 {} \;