Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

hardening - add no-new-privileges

Browse Source
This commit is contained in:
florian 2021-05-18 21:35:58 +02:00
parent d9bb97be50
commit 73543f4b0e
No known key found for this signature in database
GPG Key ID: 3D80806F12602A7C
8 changed files with 16 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile
View File

@ -14,7 +14,7 @@ RUN chmod +x /tmp/dependencies.sh && \
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY lua/ /opt/lua
COPY lua/ /usr/local/lib/lua
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && \

2
Dockerfile-amd64
View File

@ -14,7 +14,7 @@ RUN chmod +x /tmp/dependencies.sh && \
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY lua/ /opt/lua
COPY lua/ /usr/local/lib/lua
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && \

2
Dockerfile-arm32v7
View File

@ -21,7 +21,7 @@ RUN chmod +x /tmp/dependencies.sh && \
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY lua/ /opt/lua
COPY lua/ /usr/local/lib/lua
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && \

2
Dockerfile-arm64v8
View File

@ -21,7 +21,7 @@ RUN chmod +x /tmp/dependencies.sh && \
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY lua/ /opt/lua
COPY lua/ /usr/local/lib/lua
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && \

2
Dockerfile-i386
View File

@ -14,7 +14,7 @@ RUN chmod +x /tmp/dependencies.sh && \
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY lua/ /opt/lua
COPY lua/ /usr/local/lib/lua
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && \

8
docs/security_tuning.md
View File

@ -220,6 +220,13 @@ By default, *bunkerized-nginx* runs as non-root user inside the container and sh
docker run ... --drop-cap=all ... bunkerity/bunkerized-nginx
```
### No new privileges
Bunkerized-nginx should never tries to gain additional privileges through setuid/setgid executables. You can safely add the **no-new-privileges** [security configuration](https://docs.docker.com/engine/reference/run/#security-configuration) when creating the container :
```shell
docker run ... --security-opt no-new-privileges ... bunkerity/bunkerized-nginx
```
### User namespace remap
Another hardening trick is [user namespace remapping](https://docs.docker.com/engine/security/userns-remap/) : it allows you to map the UID/GID of users inside a container to another UID/GID on the host. For example, you can map the user nginx with UID/GID 101 inside the container to a non-existent user with UID/GID 100101 on the host.
@ -235,3 +242,4 @@ $ chown root:100101 /path/to/letsencrypt
$ chmod 770 /path/to/letsencrypt
$ docker run ... -v /path/to/letsencrypt:/etc/letsencrypt ... bunkerity/bunkerized-nginx
```

8
examples/hardened/docker-compose.yml
View File

@ -7,11 +7,9 @@ services:
# dropping all capabilities
cap_drop:
- ALL
# root fs as RO
read_only: true
# mandatory directories as RW
tmpfs:
- /tmp:mode=770,uid=0,gid=101
# disable setuid/setgid
security_opt:
- no-new-privileges
restart: always
ports:
- 80:8080

4
prepare.sh
View File

@ -1,8 +1,5 @@
#!/bin/sh
# custom entrypoint
mkdir /opt/entrypoint.d
# prepare /www
mkdir /www
chown -R root:nginx /www
@ -55,7 +52,6 @@ chmod 770 /var/lib/letsencrypt
# prepare /usr/local/lib/lua
chown -R root:nginx /usr/local/lib/lua
chmod 770 /usr/local/lib/lua
find /usr/local/lib/lua -type f -name "*.conf" -exec chmod 0760 {} \;
find /usr/local/lib/lua -type f -name "*.lua" -exec chmod 0760 {} \;
find /usr/local/lib/lua -type d -exec chmod 0770 {} \;