• Feedback
  • USEnglish

  • mailcow containers running as root

Hi there,

I’m not a docker expert (mainly user but not developer or the like), so I hope this isn’t a stupid question: Various hardening guides recommend that you shouldn’t run docker containers as root, so potential flaws don’t cause so much damage (I think this was also one of the reasons Play-with-Docker was hacked some time ago(?)).

So I ran the GitHub Icon docker-bench-security

GitHub Icon GitHub
GitHub - docker/docker-bench-security: The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. - docker/docker-bench-security
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. - docker/docker-bench-security
script on my server and it warned me that all containers are running as root. Is this dangerous, is this something that I can fix as a user or should I just ignore it?

It gave some more warnings but that’s something you can test for yourself if you are interested :-) Not trying to be the party pooper.

  • diekuh

    • Community Hero
    • volunteer
    Moolevel 110
  • Post #2
  • Edited

Check the Dockerfiles and scripts, we drop rights everywhere. No exposed service is ever run as root. No container with exposed services has acess to the Docker API socket.

Assuming your are running Dovecot on your servers without Docker and Dovecot was exploited, hackers will probably be dovenull, dovecot or vmail on your system. If there is also a privileg escalation, they become root. Imagine having another layer: They are now locked inside the container as root. There needs to be another exploit to break out of the isolation. So you need to exploit Dovecot, escalate to 0 and break out of the container.

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

5 days later

I see, I’m just wondering why a container is ran as root if the privileges are dropped anyway.

Just to be clear: This isn’t specifically a mailcow-only phenomenon. This seems to be standard practice for the majority of containers. I was just wondering why 🙂. But maybe I’m not enough of a developer to fully understand.

No one is typing