Single (kiosk-style) GUI app using X11: how to use non-root user in container?

x11

#1

Hello,

I’m packaging a GUI (X11) app to be used like a kiosk system (only single app is running on X). I used the resin-electronjs as a base, but noticed that it seems to run the app as root. Security-wise it would be better to use non-root user when running apps in a container. How should I proceed? Use systemd to bring up a X server or … ?

br,
Timo


#3

Hi, resin-electronjs is running as root within the container itself, and shouldn’t have any more exposure than if you were running as normal user within the container, as the application runs with the same privileges both ways.

For context, what sort of issues you are trying to protect against? It might help us give you any more specific advice.

In general in the Docker environment, root has somewhat different meaning, and much less dangerous. If you are running a resinOS 2.x version, the host OS is read-only as well, so there’s a lot less than any “escape” from the container - should it happen (not sure how would that happen) - has minimal chance to do anything.


#4

Hello imrehg,

just following general Docker guidelines for security ( https://docs.docker.com/engine/security/security/ ) and thinking of the impact for the system if malicious attacker somehow gains access through the running application. It is true that root in container is somewhat safer than “on bare metal”, but exploits that enable container escaping have been available/have been demostrated, so containerization is not water-proof in this sense. As you said, the readonly fs somewhat prevents any usability of this kind of attack, so this might be more of academic type of question.