mxisd process is running as root within the container it should run as user

[zem]

When firing up the docker container for mxisd and doing a first inspection I realized that it is running as root:

bash-4.4# ps -eaf
PID   USER     TIME  COMMAND
    1 root      0:01 java -jar /app/mxisd.jar -c /etc/mxisd/mxisd.yaml
   24 root      0:00 bash
   27 root      0:00 ps -eaf

the problem here is that if you encounter a bug in the code the OS process allows it to replace itself along with the rest of the container. The security level of root also allows for additional device files and network configuration that are normally not possible.

I would advice go for the following strategy:

1. the entrypoint initializes the container and ensures that all the necessary permissions are set
2. sudo hands over the process to a lesser privileged user

from the permissions point of view this would mean

• adding a mxisd user
• chown -R mxisd. /var/mxisd
• apk add sudo
• change start sh to exec sudo -u mxisd java -jar /app/mxisd.jar -c /etc/mxisd/mxisd.yaml

[maxidorius]

Thanks @zem, mxisd is currently being merged into The Gridify server project, acting as the spiritual v2. I'll be sure to include your feedback in it!