Please redesign the docker container #663
Comments
|
Hello, you seem to know what to do. Please submit a pull request for your changes. You know this is open source, any help is appreciated and welcome. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
I would like to run librespeed in a more secure environment, namely without the container requiring root permissions, and with a read-only rootfs where optimally only a tmp directory is mounted as a writeable volume for the upload test files and similar temporarily needed files
Why it should be implemented
Securitywise it is really bad to run this container as root, and the main apache process inside of it aswell, then let apache drop privileges and run the main app inside of it as a user (this is not a VM)
Please conside running it rootless and dont try to chmod stuff in this case.
Securitywise it also is best practice to not have the whole rootfs writeable
both in combination is just bad alltogether, especially when data from the client is used for the upload tests, one security vulnerability related to the upload speed test will open all the gates to remote shells and other bad actors.
The text was updated successfully, but these errors were encountered: