security(sandbox): add non-root user to Docker sandbox
Problem: The sandbox container runs as root by default. If untrusted code runs in the sandbox and a container escape vulnerability exists, the attacker gains root access to the host. Solution: Add a non-privileged user following principle of least privilege: ```dockerfile RUN useradd -m -s /bin/bash -u 1000 sandbox USER sandbox WORKDIR /home/sandbox ``` Fixes #3277 (partial) [AI-assisted: lightly tested, code understood]
This commit is contained in:
parent
9688454a30
commit
b613a42393
@ -13,4 +13,8 @@ RUN apt-get update \
|
||||
ripgrep \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
RUN useradd -m -s /bin/bash -u 1000 sandbox
|
||||
USER sandbox
|
||||
WORKDIR /home/sandbox
|
||||
|
||||
CMD ["sleep", "infinity"]
|
||||
|
||||
Loading…
Reference in New Issue
Block a user