Clarify wording

pull/229/head
thespad 2024-07-08 17:21:06 +01:00
rodzic ff28543d6f
commit 019934e58c
Nie znaleziono w bazie danych klucza dla tego podpisu
ID klucza GPG: 08F06191F4587860
1 zmienionych plików z 1 dodań i 1 usunięć

Wyświetl plik

@ -13,7 +13,7 @@ Docker provides the capability to run containers with a read-only internal files
## Why?
From a security perspective, preventing any changes to the container filesystem is a good idea. It means if someone somehow compromises the container they can't install new packages, change permissions, create new user accounts, copy executables, or do anything else persistent outside of your host-mounted paths. Now in the case of the vast majority of our images, if a malicious actor were to compromise the running application they wouldn't have root access anyway, which already limits their ability to act, but if chained with a Local Privilege Escalation (LPE) vulnerability for example, they could acquire it. Running read-only isn't a security silver bullet (they don't exist) but it is an additional mitigation step you can take.
From a security perspective, preventing any changes to the container filesystem is a good idea. It means if someone somehow compromises the container they can't install new packages, change permissions, create new user accounts, inject executables, or do anything else persistent outside of your host-mounted paths. Now in the case of the vast majority of our images, if a malicious actor were to compromise the running application they wouldn't have root access anyway, which already limits their ability to act, but if chained with a Local Privilege Escalation (LPE) vulnerability for example, they could acquire it. Running read-only isn't a security silver bullet (they don't exist) but it is an additional mitigation step you can take.
## How?