Upload SECURITY.md with huggingface_hub
Browse files- SECURITY.md +110 -0
SECURITY.md
ADDED
|
@@ -0,0 +1,110 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
# Security Configuration
|
| 2 |
+
|
| 3 |
+
## Non-Root User Support
|
| 4 |
+
|
| 5 |
+
BentoPDF now uses nginx-unprivileged for enhanced security. This follows the Principle of Least Privilege and is essential for production environments.
|
| 6 |
+
|
| 7 |
+
### Security Benefits
|
| 8 |
+
|
| 9 |
+
- **Reduced Attack Surface**: If compromised, attackers won't have root privileges
|
| 10 |
+
- **Compliance**: Meets security standards like SOC 2, PCI DSS
|
| 11 |
+
- **Kubernetes/OpenShift Compatibility**: Works with security policies that require non-root execution
|
| 12 |
+
- **System Protection**: Prevents system-wide damage if the application is compromised
|
| 13 |
+
|
| 14 |
+
### Usage
|
| 15 |
+
|
| 16 |
+
#### Default Configuration (nginx-unprivileged)
|
| 17 |
+
|
| 18 |
+
```bash
|
| 19 |
+
docker build -t bentopdf .
|
| 20 |
+
docker run -p 8080:8080 bentopdf
|
| 21 |
+
```
|
| 22 |
+
|
| 23 |
+
#### Simple Mode
|
| 24 |
+
|
| 25 |
+
```bash
|
| 26 |
+
# Build with simple mode enabled
|
| 27 |
+
docker build --build-arg SIMPLE_MODE=true -t bentopdf-simple .
|
| 28 |
+
|
| 29 |
+
# Run the container
|
| 30 |
+
docker run -p 8080:8080 bentopdf-simple
|
| 31 |
+
```
|
| 32 |
+
|
| 33 |
+
#### Kubernetes Example
|
| 34 |
+
|
| 35 |
+
```yaml
|
| 36 |
+
apiVersion: apps/v1
|
| 37 |
+
kind: Deployment
|
| 38 |
+
metadata:
|
| 39 |
+
name: bentopdf
|
| 40 |
+
spec:
|
| 41 |
+
template:
|
| 42 |
+
spec:
|
| 43 |
+
securityContext:
|
| 44 |
+
runAsNonRoot: true
|
| 45 |
+
runAsUser: 2000
|
| 46 |
+
runAsGroup: 2000
|
| 47 |
+
containers:
|
| 48 |
+
- name: bentopdf
|
| 49 |
+
image: bentopdf:latest
|
| 50 |
+
ports:
|
| 51 |
+
- containerPort: 8080
|
| 52 |
+
```
|
| 53 |
+
|
| 54 |
+
#### Docker Compose Example
|
| 55 |
+
|
| 56 |
+
```yaml
|
| 57 |
+
version: '3.8'
|
| 58 |
+
services:
|
| 59 |
+
bentopdf:
|
| 60 |
+
build:
|
| 61 |
+
context: .
|
| 62 |
+
dockerfile: Dockerfile
|
| 63 |
+
args:
|
| 64 |
+
SIMPLE_MODE: false
|
| 65 |
+
ports:
|
| 66 |
+
- '8080:8080'
|
| 67 |
+
security_opt:
|
| 68 |
+
- no-new-privileges:true
|
| 69 |
+
```
|
| 70 |
+
|
| 71 |
+
### Verification
|
| 72 |
+
|
| 73 |
+
To verify the container is running as non-root:
|
| 74 |
+
|
| 75 |
+
```bash
|
| 76 |
+
# Check the user inside the container
|
| 77 |
+
docker exec <container_id> whoami
|
| 78 |
+
# Should output: nginx
|
| 79 |
+
|
| 80 |
+
# Check the user ID
|
| 81 |
+
docker exec <container_id> id
|
| 82 |
+
# Should show UID/GID for nginx user (typically 101)
|
| 83 |
+
```
|
| 84 |
+
|
| 85 |
+
### Security Best Practices
|
| 86 |
+
|
| 87 |
+
1. **Use nginx-unprivileged**: Built-in non-root user with minimal privileges
|
| 88 |
+
2. **Regular Updates**: Keep the base image updated (currently using 1.29-alpine)
|
| 89 |
+
3. **Port 8080**: Use high port numbers to avoid requiring root privileges
|
| 90 |
+
4. **Security Scanning**: Regularly scan images for vulnerabilities
|
| 91 |
+
5. **Network Policies**: Implement network segmentation
|
| 92 |
+
|
| 93 |
+
### Troubleshooting
|
| 94 |
+
|
| 95 |
+
If you encounter permission issues:
|
| 96 |
+
|
| 97 |
+
1. **Check file ownership**: Ensure all application files are owned by the nginx user
|
| 98 |
+
2. **Verify PID directory**: Ensure `/etc/nginx/tmp/` directory exists and is writable
|
| 99 |
+
3. **Port binding**: Ensure port 8080 is available and not blocked by firewall
|
| 100 |
+
|
| 101 |
+
### Migration from Root
|
| 102 |
+
|
| 103 |
+
If migrating from a root-based setup:
|
| 104 |
+
|
| 105 |
+
1. Update your Dockerfile to use nginx-unprivileged base image
|
| 106 |
+
2. Change port mappings from 80 to 8080 in all configurations
|
| 107 |
+
3. Update nginx.conf to use `/etc/nginx/tmp/nginx.pid` for PID file
|
| 108 |
+
4. Rebuild your images with the new security settings
|
| 109 |
+
5. Update your deployment configurations (Kubernetes, Docker Compose, etc.)
|
| 110 |
+
6. Test thoroughly in a staging environment
|