Please redesign the docker container

[psych0d0g]

Description

I would like to run librespeed in a more secure environment, namely without the container requiring root permissions, and with a read-only rootfs where optimally only a tmp directory is mounted as a writeable volume for the upload test files and similar temporarily needed files

Why it should be implemented

Securitywise it is really bad to run this container as root, and the main apache process inside of it aswell, then let apache drop privileges and run the main app inside of it as a user (this is not a VM)
Please conside running it rootless and dont try to chmod stuff in this case.

Securitywise it also is best practice to not have the whole rootfs writeable

both in combination is just bad alltogether, especially when data from the client is used for the upload tests, one security vulnerability related to the upload speed test will open all the gates to remote shells and other bad actors.

[sstidl]

Hello, you seem to know what to do. Please submit a pull request for your changes. You know this is open source, any help is appreciated and welcome.

[sstidl]

While testing the Docker images for the project today, I explored the idea of dropping privileges within these images. During this review, I found that both the Alpine- and Debian-based images are already configured to use an unprivileged user by default. Given this configuration, no further adjustments are needed to meet our security goals.

I’ll go ahead and close this issue accordingly. However, please feel free to reopen it if you see things differently or have additional concerns.

[davralin]

@sstidl I tried running the image in kubernetes, with a very strict admission policy, which drops all capabilities, enforces a given UID, and wants a completely readonlyRootFS.

What I found was that readonlyRootFS is not possible, because it creates a file in /var/www/html:
# cp: cannot create regular file '/var/www/html/speedtest.js': Read-only file system

What actually breaks the restricted-policy however, is chown:

+ chown -R www-data /var/www/html/backend /var/www/html/favicon.ico /var/www/html/index.php /var/www/html/speedtest.js /var/www/html/speedtest_worker.js
chown: changing ownership of '/var/www/html/backend/country_asn.mmdb': Operation not permitted
chown: changing ownership of '/var/www/html/backend/empty.php': Operation not permitted
chown: changing ownership of '/var/www/html/backend/garbage.php': Operation not permitted
chown: changing ownership of '/var/www/html/backend/geoip2.phar': Operation not permitted
chown: changing ownership of '/var/www/html/backend/getIP.php': Operation not permitted
chown: changing ownership of '/var/www/html/backend/getIP_ipInfo_apikey.php': Operation not permitted
chown: changing ownership of '/var/www/html/backend/getIP_util.php': Operation not permitted
chown: changing ownership of '/var/www/html/backend': Operation not permitted
chown: changing ownership of '/var/www/html/favicon.ico': Operation not permitted
chown: changing ownership of '/var/www/html/index.php': Operation not permitted
chown: changing ownership of '/var/www/html/speedtest.js': Operation not permitted
chown: changing ownership of '/var/www/html/speedtest_worker.js': Operation not permitted

Also, it does require running as root, at least if you change the listen-port - but that's something you have to do if you don't want to run as root anyway.

+ sed -i 's/^Listen 80$/Listen 8080/g' /etc/apache2/ports.conf

Not sure how this fits into the review you did, or what you think about this? :-)

[davralin]

I started with a fork to implement this, but I need some clarification before I want to proceed - I opened #682