Missing security aspects in Docker image

[agido-malter]

Using geoippupdate via docker

docker run --user 4711:4711 --name geoipupdate --rm --env-file $HOME/geo/geoip.env -v $HOME/geo/temp:/usr/share/GeoIP maxmindinc/geoipupdate

results in error:

STATE: Creating configuration file at /etc/GeoIP.conf
/usr/bin/entry.sh: line 45: can't create /etc/GeoIP.conf: Permission denied

If i don't use --user xxxx:xxxxx the result file is owned by root. Company policy denies root for any other than admins

Also tried with -e "GEOIPUPDATE_CONF_FILE=/tmp/GeoIP.conf" but next issue is:

error retrieving updates: error acquiring file lock: error acquiring file lock at /usr/share/GeoIP/.geoipupdate.lock: open /usr/share/GeoIP/.geoipupdate.lock: permission denied

That means, the whole image is designed to run under root only, whitch misses every aspect of security

[oschwald]

You may also set GEOIPUPDATE_DB_DIR.

[oschwald]

5.1.0 now drops the root privileges.

[oschwald]

5.1.1 switches back to using root privileges within the container. Please see #233.

Could you expand a bit more on your particular use case? That might impact how we go forward.

[rakeshv1]

Hi it looks like since 5.1 the entry.sh script writes to a log file by first creating a log_dir folder at "/var/lib/geoipupdate" this means that if we run the docker image under a different non-root user we will get permission denied
can't create /var/lib/geoipupdate/.healthcheck: Permission denied There is no way to override this directory similar to the options like GEOIPUPDATE_CONF_FILE etc

Do you have any plans to add an option to override the log directory path ? I can find some time to PR that in if you are happy with this approach?

[oschwald]

@rakeshv1 as of 6.0.0, this should no longer be an issue. You should be able to run the image with an arbitrary user.