4

I'm deploying a web app that consists of 5 containers:

  1. MariaDB
  2. PHP-FPM
  3. nginx
  4. Data Only Container
  5. WP CLI

When I try to run a WP CLI command, I get the following warning:

Error: YIKES! It looks like you're running this as root. You probably meant to run this as the user that your WordPress install exists under.

If you REALLY mean to run this as root, we won't stop you, but just bear in mind that any code on this site will then have full control of your server, making it quite DANGEROUS.

If you'd like to continue as root, please run this again, adding this flag: --allow-root

I know that in a normal WP installation I'll have several problems. However, as containers are isolated, will I have some security problems with my use case?

techraf
  • 9,159
  • 11
  • 45
  • 63
IAmJulianAcosta
  • 2,475
  • 3
  • 16
  • 18

2 Answers2

6

Whilst it isn't generally a good idea to run as root, doing so in a container is generally less dangerous than on the host and if you're using Docker => 1.10 with user namespaces enabled, the concern doesn't really apply as root in the container is not root on the host.

Without user namespaces there are risks in running a container as root as if an attacker is able to break out of the container isolation they will be root on the host. That's not to say that it's necessarily trivial to break out of the container. Docker uses linux features like namespacing and capabilities to reduce the rights of the running process.

With User Namespaces, the root user in the container is mapped to a non-root user outside the container, so in the event that the container is breached the user would just be an ordinary low-privileged user. Software which isn't container-aware will likely still complain as it doesn't realise that it's not using the "real" root user.

Rory McCune
  • 62,266
  • 14
  • 146
  • 222
4

Yes, you'll have problems if you do things that the authors of the software describe as dangerous.

Generally, running code as root means that you remove a boundary that the attacker would otherwise need to cross, decreasing the effort for them, and make recovery more challenging.

(If there are docker problems, they are more likely exposed to root than a random user id)

Adam Shostack
  • 2,669
  • 1
  • 11
  • 12