Dockerfile doesn't specify USER

[SbruiceS]

Description

By not specifying a USER, a program in the container may run as root. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than root.

images/orderer/Dockerfile:73
{CMD [ "orderer", "start" ]}

images/peer/Dockerfile:77

{VOLUME /etc/hyperledger/fabric
VOLUME /var/hyperledger

EXPOSE 7051

CMD [ "peer", "node", "start" ]}

References

https://owasp.org/Top10/A04_2021-Insecure_Design

Steps to reproduce

No response

[denyeart]

Thanks for the issue, you are correct, for production deployments a non-root USER is indeed recommended.

The Docker image built in this repository and the associated usage in fabric-samples repository are for education and test purposes only as mentioned at https://github.com/hyperledger/fabric/tree/main/images/peer. root is utilized for simplicity in the samples to interact with the Docker daemon when building and starting chaincodes.

Production deployments should specify a USER and are encouraged to use a chaincode build and run approach appropriate for the production environment (e.g. Kubernetes based), see https://hyperledger-fabric.readthedocs.io/en/latest/cc_launcher.html.

We can utilize this issue to make the recommendation more clear, I'll update the title and remove the bug label accordingly.