I'm using `ortussolutions/commandbox:lucee5-3.7.12...
# docker-commandboxt
Tim Badolato
04/26/2024, 6:17 PMI'm using
ortussolutions/commandbox:lucee5-3.7.12b
bdw429s
04/26/2024, 6:29 PMThat tag is from 8 months ago
bdw429s
04/26/2024, 6:29 PMWe don't go back and "fix" docker images-- that sort of defeats how docker works
bdw429s
04/26/2024, 6:30 PMAn image is set in stone and you just make a new one
bdw429s
04/26/2024, 6:30 PMI assume the latest images have whatever the latest JVM is.
t
Tim Badolato
04/26/2024, 6:30 PMYeah, that's what I was wondering. Would the latest image solve this?
b
bdw429s
04/26/2024, 6:30 PMRegarding the user, that's debatable. Personally, I don't have an issue with using root in docker because docker is already a complete and total sandbox. It has access to only what you give it and the entire running container is literally just your single process.
bdw429s
04/26/2024, 6:31 PMThis isn't 1978 in the days of a main frame with 1000 users, lol
bdw429s
04/26/2024, 6:31 PMThat said, if you want to run the process as a non-root user, we do support that. Check the readme.
bdw429s
04/26/2024, 6:31 PMIn reality though, there should be nothing in the container that the running process doesn't or shouldn't have access to, so what exactly are you trying to protect?
t
Tim Badolato
04/26/2024, 6:32 PMYeah, agreed on the user role, I'd probably be inviting more problems fighting against how most Docker containers work.
b
bdw429s
04/26/2024, 6:32 PMThe only reasonable purpose I've ever heard was IF your app had a vuln and IF that vuln allowed an attacker to obtain a remote shell and IF that remote shell allowed them to run any comands, they could run apt get. 🤷
👍 1