I discovered that some Apps run as root. Examples are paperless, ollama, open-webui, etc… This has a few security implications and I would really like to avoid the practice, is there anything I can do to fix it? Or do I have to e.g. file an issue with the ix-app or with the projects themselves? Thank you
Take a look at the App Catalog and see what permissions they require or use. It may be unavoidable
Sometimes the creators of the app image hardcode the user. If that’s the case there’s nothing you, we or the apps maintainer from truenas can do about it.
Ok, thank you. Is it possible there is a bug also? Because for expample radicale or paperless have sections for the user and group but it still runs as root.
Anyone running these two apps, can you check its the same for you please?
Paperless-ngx is showing multiple containers in the App Catalog. You can also expand the Security Capabilities section to get an idea of what it requires.
I see there it is clearly shown that the main container [paperless] runs as root… hmmm…
And the capabilities section isn’t that more like security risks?
Thanks
I am a home user, but a little paranoid.
I use a separate mini PC to run services and apps on Proxmox. I use TrueNAS on bare metal as a NAS only. In case I will migrate any apps on TrueNAS I will use a VM.
The reason I use TrueNAS is because I want the best I can have regarding my data integrity and safety and also being a noob I don’t want to cut corners on it.
Yeah, I am a bit parainoid as well, or maybe I would call it cautious. I already have two servers though - one is TrueNAS, its powerful and run storage and services it would be a waste just for storage. And the second is Proxmox but its main purpose is being a router (OpenWRT in a VM). I definitely don’t want to run most apps on the router (there are exceptions like tailscale, adguard etc - keeping the networking together). Also If I wanted to separate apps from TrueNAS I would have to get another server and given the RAM prices, generally hardware prices, as well as electricity costs increase that is not something I want to do. And I don’t want to have another computer here its too much already.
So hardening is the name of the game for me. Or would you even call it hardening when its basics like not running containers as root? Dunno…
You can always set the user that runs in the container, even if the image was set up to run as root. However, many apps presume upon root privileges to do things. Sometimes the app runs fine but with warnings, while other times you have to tweak things to make it work correctly. Example: to run the stock NGINX image as a non-root user (something I have to do sometimes on a hardened Kubernetes cluster), I have to add an ephemeral mount at both /run and /var/cache/nginx so the non-root user has privileges to create files in those folders - something they expect the root user to do before NGINX runs as the container’s built-in non-root user.
Hardening for you means no to some containers to be honest. A good many need / are hardcoded to run as root in order to execute certain things. Some apps (in the catalog) need extra privileges even if they don’t run as root so it’s not as simple as it seems (for example Zigbee2mqtt adds NET_BIND_SERVICE but I think Plex and Nextcloud do also). The apps catalog is safer than most docker-compose setups since the maintainer does only what’s necessary to run. However if you want to harden completely I’d suggest avoiding containers you don’t control yourself, running docker-compose files, and getting busy
1 Like
…plus running your own (rootless?) Docker or Podman in an Instance or VM for more isolation.
Exactly, at that point, run Podman in a VM, complete isolation
You can always set the user that runs in the container, even if the image was set up to run as
root.
I have done it with most of the custom apps (I don’t have many) but I don’t want to convert the other apps to custom with the risk it won’t work anyway and take it on myself to have to maintain that config. I have also removed a few apps I was not using much and were running as root. I plan putting ollama and openwebui to VM so I will be left with 2 that run as root I think…
However if you want to harden completely I’d suggest avoiding containers you don’t control yourself, running docker-compose files, and getting busy
I know, I just need to find balance between running what I need and not spending too much time maintaining it. Homelab is kind of a hobby to me, but I still have to go to work, I want to spend time with my family and friends and so I don’t have that much time left. Its not a problem setting up things, the problem is when something goes wrong and you need to troubleshoot for 5 hours unexpectedly. You know what I mean right?
I have only recently discovered Podman, because it is already present on Fedora and I am liking it so far. I mean its not that different, but seems to have better defaults than docker.
Podman has a lot of security advantages but the downfall is some containers are tougher to run or require breaking that security to run, which defeats the point. Some tools are more dangerous than others, as in life as in IT.
As for less maintenance, you’ll have to pick what’s more valuable to you, since locking things down initially might mean things break easier in the future, versus using the apps catalog and trusting the maintainers of the catalog to implement normal/safe defaults as best they can. Basically you “can’t have your cake and eat it too” so you’ll have to decide what’s most important to you, as will others, there’s no default that will satisfy everyone’s needs
1 Like