Skip to content

Use setpriv instead of gosu for dropping privileges in the entrypoint #435

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Mar 21, 2025
Merged

Use setpriv instead of gosu for dropping privileges in the entrypoint #435

merged 4 commits into from
Mar 21, 2025

Conversation

Peter-Sh
Copy link
Contributor

@Peter-Sh Peter-Sh commented Mar 17, 2025
edited by adamiBs
Loading

This kinda closes
#390
#401
#424
for Redis 8 CE.

Changes:

setpriv is used instead of gosu with the following flags:

  • Set reuid and regid to redis user and group
  • Clear all supplementary groups
  • Set bounding capabilities to an empty list
  • Enable no-new-privs bit

Other changes:

  • redis-sentinel is now also run with dropped privileges (previously, it wasn't)
  • Both redis-sentinel and redis-server will start with dropped privileges, regardless of how they were started (whether using absolute paths or just file names)

@Peter-Sh Peter-Sh force-pushed the RED-131427_setpriv_insteadof_gosu branch 3 times, most recently from f4f7bdf to 9d21650 Compare March 21, 2025 12:06
Peter-Sh added 4 commits March 21, 2025 14:21
@Peter-Sh
Use setpriv instead of gosu to drop privileges
b8d37ef 
Changes:

setpriv is used instead of gosu with the following flags:

* Set reuid and regid to redis user and group
* Clear all supplementary groups
* Set bouding capabilities to an empty list
* Enable no-new-privs bit
* Set securebit to exclude regaining capabilities

redis-sentinel is now also run with dropped privileges (previously, it wasn't)

Both redis-sentinel and redis-server will start with dropped privileges, regardless of how they were started (whether using absolute paths or just file names)
@Peter-Sh
Fixed typo in comment
dd1d8ce
@Peter-Sh
Removed securebits as it may make more trouble than security
52f8631
@Peter-Sh
Keep sys_resource cap if we have it, check for setuid and setgid
f7606b5 
redis-server may use sys_resource to increase open files limit if
maxclients option has been requested
@Peter-Sh Peter-Sh force-pushed the RED-131427_setpriv_insteadof_gosu branch from 9d21650 to f7606b5 Compare March 21, 2025 12:23
@adobrzhansky adobrzhansky merged commit 3b9471e into redis:release/8.0 Mar 21, 2025
16 checks passed
@adamiBs adamiBs mentioned this pull request Mar 26, 2025
Closed
Peter-Sh added a commit to Peter-Sh/docker-library-redis that referenced this pull request May 23, 2025
@Peter-Sh
Use setpriv instead of gosu for dropping privileges in the entrypoint (
0087d66 
…redis#435)

* Use setpriv instead of gosu to drop privileges

Changes:

setpriv is used instead of gosu with the following flags:

* Set reuid and regid to redis user and group
* Clear all supplementary groups
* Set bouding capabilities to an empty list
* Enable no-new-privs bit
* Set securebit to exclude regaining capabilities
@trashhalo trashhalo mentioned this pull request Jun 16, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adobrzhansky adobrzhansky adobrzhansky approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Peter-Sh @adobrzhansky