alternative to gosu to ensure even naïve vulnerability scanners show no false-positives

[jesperronn]

Happy new year 🥂, sorry to rip up in the discussions provided here and in the gosu repository:

#1292
#1282
#1297

While I completely respect and understand the stance of gosu author that vulnerability scanners are naïve and show false positive, I think that much time is wasted by postgres consumers understanding all the details and even move time is spent explaining that the critical issues in postgresql images are false positives.

Therefore this (another thread) on the subject. However the question I would like to ask here is

• Do you know of a replacement for gosu which can be used and give postresql project the same functionality?

the alternative MUST be actively maintained, in the way that all security issues are actively addressed in a way that even naïve vulnerabiltity scanners understand (at least docker scout and trivy)

Please let's focus this discussion on alternatives to gosu in this image.For comments that mention to fix gosu itself, make those comments in the gosu project.

[nicolas-albert]

Same issue with convertigo official image: convertigo/convertigo#876

gosu is used from our first docker version and I don't know what to use instead, without side effects.

[jesperronn]

gosu is used from our first docker version and I don't know what to use instead, without side effects.

this is really a fair opinion, and I fully understand your view.

I will recommend reading gosu source code. The two files main.go and setup-user.go contain all relevant code.

As I see it, basically it is a wrapper around shell methods via a standard go library. (disclaimer: first time I look into Go source code).

main.go: https://github.com/tianon/gosu/blob/ccc5c46e5fc49132e0515885cbe8e4ffe79b0fb6/main.go#L72-L77

setup-user.go: https://github.com/tianon/gosu/blob/ccc5c46e5fc49132e0515885cbe8e4ffe79b0fb6/setup-user.go

looking at it it's mostly just setup-user.go that has functionality.

Setup-user contains calls to the two standard go libraries:

"github.com/moby/sys/user"
"golang.org/x/sys/unix"

and the commands that are done in the file could be converted to a basic shell script fairly easily I think.

I will happily assist, but given that gosu is used and has to be replaced, I suggest a thorough testing of the images that are being built right now.

If somebody wants to give a try replacing gosu in a PR, feel free (my skills slightly limited in that area)

[nicolas-albert]

I've switched with sudo -n -E -u <user> and no more vulnerabilities in scans. I don't know if their is a side effect but the application starts well.

[jesperronn]

@nicolas-albert could you provide a minimal reproducible example based on the code here in this repository?

[nicolas-albert]

postgres/docker-entrypoint.sh

Line 313 in 32b6fcd

exec gosu postgres "$BASH_SOURCE" "$@"

exec gosu postgres "$BASH_SOURCE" "$@"
to
exec sudo -n -E -u postgres "$BASH_SOURCE" "$@"

I don't know if you have sudo in your debian or alpine dependencies and you have to remove the gosu setup (that comes with securities alerts).

[tianon]

You probably want to use setpriv (from util-linux) instead.

See also tianon/gosu#143

[nathan-git123]

Cofounder and CEO of VulnFree here. Our images should solve that problem for you for a reasonable cost:

• https://vulnfree.com/

[jcpunk]

Alas, setpriv provided by alpine comes from busybox and doesn't appear to support --ruid or --rgid.

[tianon]

apk add --no-cache setpriv gets you the full version from util-linux 👀