You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to run librespeed in a more secure environment, namely without the container requiring root permissions, and with a read-only rootfs where optimally only a tmp directory is mounted as a writeable volume for the upload test files and similar temporarily needed files
Why it should be implemented
Securitywise it is really bad to run this container as root, and the main apache process inside of it aswell, then let apache drop privileges and run the main app inside of it as a user (this is not a VM)
Please conside running it rootless and dont try to chmod stuff in this case.
Securitywise it also is best practice to not have the whole rootfs writeable
both in combination is just bad alltogether, especially when data from the client is used for the upload tests, one security vulnerability related to the upload speed test will open all the gates to remote shells and other bad actors.
The text was updated successfully, but these errors were encountered:
Description
I would like to run librespeed in a more secure environment, namely without the container requiring root permissions, and with a read-only rootfs where optimally only a tmp directory is mounted as a writeable volume for the upload test files and similar temporarily needed files
Why it should be implemented
Securitywise it is really bad to run this container as root, and the main apache process inside of it aswell, then let apache drop privileges and run the main app inside of it as a user (this is not a VM)
Please conside running it rootless and dont try to chmod stuff in this case.
Securitywise it also is best practice to not have the whole rootfs writeable
both in combination is just bad alltogether, especially when data from the client is used for the upload tests, one security vulnerability related to the upload speed test will open all the gates to remote shells and other bad actors.
The text was updated successfully, but these errors were encountered: