Problem: The sandbox container runs as root by default. If untrusted code runs in the sandbox and a container escape vulnerability exists, the attacker gains root access to the host. Solution: Add a non-privileged user following principle of least privilege: ```dockerfile RUN useradd -m -s /bin/bash -u 1000 sandbox USER sandbox WORKDIR /home/sandbox ``` Fixes #3277 (partial) [AI-assisted: lightly tested, code understood]
21 lines
365 B
Docker
21 lines
365 B
Docker
FROM debian:bookworm-slim
|
|
|
|
ENV DEBIAN_FRONTEND=noninteractive
|
|
|
|
RUN apt-get update \
|
|
&& apt-get install -y --no-install-recommends \
|
|
bash \
|
|
ca-certificates \
|
|
curl \
|
|
git \
|
|
jq \
|
|
python3 \
|
|
ripgrep \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
RUN useradd -m -s /bin/bash -u 1000 sandbox
|
|
USER sandbox
|
|
WORKDIR /home/sandbox
|
|
|
|
CMD ["sleep", "infinity"]
|