Audit finding from #300 (commit 679f9fe)
Severity: medium
Category: dependencies / container hardening
File: docker/relay.Dockerfile ; replay.Dockerfile ; storage.Dockerfile ; web.Dockerfile
Obvious fix: yes
Description
None of the Dockerfiles drop privileges via USER. The relay binary listens on 9090/9091 (non-privileged), so there is no need for root.
Impact / Threat
A container escape or RCE in willow-relay yields uid 0 inside the container and increases lateral-movement potential.
Suggested fix
Add RUN useradd -r -u 10001 willow and USER willow in the runtime stage of each Dockerfile.
Verify
grep -L '^USER ' docker/*.Dockerfile
Audit finding from #300 (commit 679f9fe)
Severity: medium
Category: dependencies / container hardening
File: docker/relay.Dockerfile ; replay.Dockerfile ; storage.Dockerfile ; web.Dockerfile
Obvious fix: yes
Description
None of the Dockerfiles drop privileges via
USER. The relay binary listens on 9090/9091 (non-privileged), so there is no need for root.Impact / Threat
A container escape or RCE in willow-relay yields uid 0 inside the container and increases lateral-movement potential.
Suggested fix
Add
RUN useradd -r -u 10001 willowandUSER willowin the runtime stage of each Dockerfile.Verify