Blubber currently outputs a buildable Dockerfile in five distinct phases:PhasePrivileged, PhasePrivilegeDropped, PhasePreInstall, PhaseInstall, and PhasePostInstall. Instructions that could possibly allow arbitrary code to be executed are only output after the PhasePrivilegeDropped phase is reached and the runtime user is set to whatever is configured for runs.as, and this serves as a very basic security model to disallow users of Blubber to control what will eventually be run as root at container runtime. However, the COPY instructions as they're currently output result in files owned as root, not the runs.as user, so the currently implementation is borked.
Add to that, if the current implementation were fixed, the runtime user would then have read/write access to the application's files and installs dependencies. This is also not desirable.
After discussing it, this is the basic model we want using distinct levels of privilege (not just root and the runs.as user):
- (as root) Only APT package installation and other operations that can't lead to arbitrary execution are done.
- (as somebody) Install dependencies and copy over application files.
- (as somebody) Allow configuration for some application files/dirs to be chown'd as the runs.as user (temp build directories, etc.).
- (as [runs.as]) Execute entrypoint.