Mailcow containers running as root

jman

The documentation recommends installing Mailcow as root (https://docs.mailcow.email/getstarted/install/#install-mailcow). Has anyone attempted to install and run Mailcow Docker containers as non-root user?

As pointed in this thread https://community.mailcow.email/d/4267-unable-to-update-mailcow-due-to-docker-pull-limit/ the Docker registry now has restricted the number of image pulls. This means that one needs to be logged in to avoid this restrictions.

The Docker login credentials (a token) are saved in ~/root/.docker/config.json and I am thinking if that’s a good thing or it would be better “security hygiene” logging into Docker as a non-root user.

Happy to receive feedback.

Thanks

esackbauer

If someone managed to get root access they can read the docker token. But they can also read all your mails.
So in my point of view nothing to be concerned about, because in that case the problems are bigger than a docker token.

Chances are that mailcow team moves the container images away from hub.docker.com to e.g. gitlab or whatever, which has not a restriction.

invaliduser

yes you can install mailcow as a not root user but then you need to think about permissions, installing it as root is just easier and if someone manages to get root from one of your mailcow containers there will be bigger problems than your docker hub token.

jman

Thanks for the replies!

I should probably amend my concern that a higher risk factor is running Docker containers as root. My understanding is that it is preferable to run them as a non priviledged user with GID docker to prevent that a possible vuln in the docker service could allow having root privileges. Is that perhaps better formulated?

Is there anything technically blocking the update.sh script being used as non-root user? It’s a +1000 lines of code script so I can’t quite tell at a glance.

Thanks

esackbauer

jman a non priviledged user with GID docker to prevent that a possible vuln in the docker service could allow having root privileges. Is that perhaps better formulated?

From the installation guide:

We drop permissions for every exposed application and will not run an exposed service as root! Controlling the Docker daemon as non-root user does not give you additional security. The unprivileged user will spawn the containers as root likewise. The behaviour of the stack is identical.

jman

@esackbauer ah! thank you for pointing me to the docs, I had just missed that sentence from the link I have posted :-)