You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "Daniel Watford (Jira)" <ji...@apache.org> on 2023/04/11 10:05:00 UTC

[jira] [Commented] (OFBIZ-12795) Trunk demo site: Ensure OFBiz runs as the ofbizDemo user

    [ https://issues.apache.org/jira/browse/OFBIZ-12795?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17710862#comment-17710862 ] 

Daniel Watford commented on OFBIZ-12795:
----------------------------------------

INFRA have provided some advice that relates to this ticket in INFRA-24446

> Trunk demo site: Ensure OFBiz runs as the ofbizDemo user
> --------------------------------------------------------
>
>                 Key: OFBIZ-12795
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12795
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: Demo
>            Reporter: Daniel Watford
>            Assignee: Daniel Watford
>            Priority: Major
>
> OFBiz container instances running on the ofbiz-vm1 VM are launched by the ofbizDocker user. 
> Within an OFBiz container a new lower-privileged user is used to run the OFBiz process. This user has UID 1000.
> User with UID 1000 is used within the container to ensure that should the OFBiz process be compromised and an attacker 'breaks out' of the container, then an attacker's effective UID is still 1000 and they will be restricted to the privileges of that user.
> An area of risk is that we have not ensured UID 1000 really is a low privilege user on host ofbiz-vm1. This ticket is to ensure that the internal container UID of 1000 really does map to a low-privilege user.
> Investigate and apply user mapping for OFBiz container instances running on ofbiz-vm1 to ensure processes internal to OFBiz containers effectively run as the ofbizDocker user.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)