security(sandbox): add non-root user to Docker sandbox
Problem: The sandbox container runs as root by default. If untrusted code runs in the sandbox and a container escape vulnerability exists, the attacker gains root access to the host. Solution: Add a non-privileged user following principle of least privilege: ```dockerfile RUN useradd -m -s /bin/bash -u 1000 sandbox USER sandbox WORKDIR /home/sandbox ``` Fixes #3277 (partial) [AI-assisted: lightly tested, code understood]
This commit is contained in:
parent
9688454a30
commit
b613a42393
@ -13,4 +13,8 @@ RUN apt-get update \
|
|||||||
ripgrep \
|
ripgrep \
|
||||||
&& rm -rf /var/lib/apt/lists/*
|
&& rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
|
RUN useradd -m -s /bin/bash -u 1000 sandbox
|
||||||
|
USER sandbox
|
||||||
|
WORKDIR /home/sandbox
|
||||||
|
|
||||||
CMD ["sleep", "infinity"]
|
CMD ["sleep", "infinity"]
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user