Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Use setpriv instead of gosu for dropping privileges in the entrypoint #435

Merged
merged 4 commits into from
Mar 21, 2025
Merged

Use setpriv instead of gosu for dropping privileges in the entrypoint #435

merged 4 commits into from
Mar 21, 2025

Conversation

Peter-Sh
Copy link

@Peter-Sh Peter-Sh commented Mar 17, 2025
edited by adamiBs
Loading

This kinda closes
#390
#401
#424
for Redis 8 CE.

Changes:

setpriv is used instead of gosu with the following flags:

  • Set reuid and regid to redis user and group
  • Clear all supplementary groups
  • Set bounding capabilities to an empty list
  • Enable no-new-privs bit

Other changes:

  • redis-sentinel is now also run with dropped privileges (previously, it wasn't)
  • Both redis-sentinel and redis-server will start with dropped privileges, regardless of how they were started (whether using absolute paths or just file names)

@Peter-Sh Peter-Sh force-pushed the RED-131427_setpriv_insteadof_gosu branch 3 times, most recently from f4f7bdf to 9d21650 Compare March 21, 2025 12:06
Peter-Sh added 4 commits March 21, 2025 14:21
@Peter-Sh
Use setpriv instead of gosu to drop privileges
b8d37ef 
Changes:

setpriv is used instead of gosu with the following flags:

* Set reuid and regid to redis user and group
* Clear all supplementary groups
* Set bouding capabilities to an empty list
* Enable no-new-privs bit
* Set securebit to exclude regaining capabilities

redis-sentinel is now also run with dropped privileges (previously, it wasn't)

Both redis-sentinel and redis-server will start with dropped privileges, regardless of how they were started (whether using absolute paths or just file names)
@Peter-Sh
Fixed typo in comment
dd1d8ce
@Peter-Sh
Removed securebits as it may make more trouble than security
52f8631
@Peter-Sh
Keep sys_resource cap if we have it, check for setuid and setgid
f7606b5 
redis-server may use sys_resource to increase open files limit if
maxclients option has been requested
@Peter-Sh Peter-Sh force-pushed the RED-131427_setpriv_insteadof_gosu branch from 9d21650 to f7606b5 Compare March 21, 2025 12:23
@adobrzhansky adobrzhansky merged commit 3b9471e into redis:release/8.0 Mar 21, 2025
16 checks passed
@adamiBs adamiBs mentioned this pull request Mar 26, 2025
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@adobrzhansky adobrzhansky adobrzhansky approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Peter-Sh @adobrzhansky