You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At the moment when cloning grocy application code (PHP assets, web assets) into grocy-docker containers, extraction runs under the www-data and nginx user accounts respectively.
This means that the files are owned by the same user account that the web server (php-fpm, nginx, respectively) process runs as.
Although the root filesystems are read-only already, we could apply another layer of security by ensuring that the files are owned by a separate user account.
That could place a further roadblock against any potential application-level exploits from modifying and/or persisting in the containers.
The text was updated successfully, but these errors were encountered:
At the moment when cloning grocy application code (PHP assets, web assets) into
grocy-dockercontainers, extraction runs under thewww-dataandnginxuser accounts respectively.This means that the files are owned by the same user account that the web server (
php-fpm,nginx, respectively) process runs as.Although the root filesystems are read-only already, we could apply another layer of security by ensuring that the files are owned by a separate user account.
That could place a further roadblock against any potential application-level exploits from modifying and/or persisting in the containers.
The text was updated successfully, but these errors were encountered: