P0: su-exec in Docker entrypoint may fail silently — container runs as root #4

Closed
opened 2026-05-13 20:39:36 -05:00 by null · 2 comments
Owner

Fixed in 7d476f3. Replaced su-exec with USER nodejs directive in Dockerfile. Container now runs as nodejs user by default with no su-exec fallback to root.

Fixed in 7d476f3. Replaced su-exec with USER nodejs directive in Dockerfile. Container now runs as nodejs user by default with no su-exec fallback to root.
null added the
P0 Critical
bug
infra
labels 2026-05-17 14:25:54 -05:00
null closed this issue 2026-05-17 14:44:39 -05:00
Author
Owner

Hudson security review (post-fix):

  • Dockerfile correctly uses USER nodejs — no su-exec needed
  • Entry point cleaned up: removed chmod 777 (→ chown), removed hardcoded su-exec, added root-detection logic
  • Entry point is currently unused (Dockerfile uses CMD directly) but now safe if re-enabled
  • Remediation committed in 7162a26

Issues #6 and #10 passed review — no further action needed.

**Hudson security review (post-fix):** - Dockerfile correctly uses USER nodejs — no su-exec needed - Entry point cleaned up: removed chmod 777 (→ chown), removed hardcoded su-exec, added root-detection logic - Entry point is currently unused (Dockerfile uses CMD directly) but now safe if re-enabled - Remediation committed in 7162a26 Issues #6 and #10 passed review — no further action needed.
Author
Owner

Final remediation (7c145bc):

  • Removed chmod 777 on /app/db and /app/logs → now uses chown -R nodejs:nodejs
  • Removed hardcoded su-exec call → entrypoint now detects root vs non-root
  • Entry point is currently unused (Dockerfile uses USER nodejs + CMD) but is safe if re-enabled
  • Hudson review: PASS with remediation applied

All audit fixes for this issue are complete and verified.

**Final remediation (7c145bc):** - Removed `chmod 777` on /app/db and /app/logs → now uses `chown -R nodejs:nodejs` - Removed hardcoded `su-exec` call → entrypoint now detects root vs non-root - Entry point is currently unused (Dockerfile uses `USER nodejs` + `CMD`) but is safe if re-enabled - Hudson review: PASS with remediation applied All audit fixes for this issue are complete and verified.
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: null/Queue-North-Website#4
No description provided.