Running with root directly instead of sudo (!20) · Merge requests · Iron Bank Containers / Valley Tech Systems / Boringtun

John Moon requested to merge run-with-root into development Oct 26, 2021

This relates to issue #3 (closed).

Before this, the main program was being executed with sudo, which effectively negated the usefulness of the unprivileged user. The sudo package also added some vulnerabilities because it was installing without running the hardening scripts present in the normal UBI image image build (since this image can use ubi8-minimal).

Running directly as root produces an image with the fewest CVEs detected. The only failing quality gate is that the effective user is root.

Since this app requires access to the network stack, it seems the best, justifiable option is to run directly as root.

Edited Oct 27, 2021 by John Moon

Running with root directly instead of sudo

Merge request reports