mailcow containers running as root

D4niel

Hi there,

I’m not a docker expert (mainly user but not developer or the like), so I hope this isn’t a stupid question: Various hardening guides recommend that you shouldn’t run docker containers as root, so potential flaws don’t cause so much damage (I think this was also one of the reasons Play-with-Docker was hacked some time ago(?)).

So I ran the docker-bench-security script on my server and it warned me that all containers are running as root. Is this dangerous, is this something that I can fix as a user or should I just ignore it?

It gave some more warnings but that’s something you can test for yourself if you are interested :-) Not trying to be the party pooper.

diekuh

Check the Dockerfiles and scripts, we drop rights everywhere. No exposed service is ever run as root. No container with exposed services has acess to the Docker API socket.

Assuming your are running Dovecot on your servers without Docker and Dovecot was exploited, hackers will probably be dovenull, dovecot or vmail on your system. If there is also a privileg escalation, they become root. Imagine having another layer: They are now locked inside the container as root. There needs to be another exploit to break out of the isolation. So you need to exploit Dovecot, escalate to 0 and break out of the container.

D4niel

I see, I’m just wondering why a container is ran as root if the privileges are dropped anyway.

Just to be clear: This isn’t specifically a mailcow-only phenomenon. This seems to be standard practice for the majority of containers. I was just wondering why 🙂. But maybe I’m not enough of a developer to fully understand.