I noticed while fooling around in nextcloud that it is using LDAP as opposed to LDAPS to connect to cloudron LDAP. This means that requests and creds are sent in plain text. Now somebody would have to be on the container network to sniff these, but still a big no no. (I once had my enterprise admin credentials exposed on a webex because my boss used LDAP instead of LDAPS and was reviewing a PCAP live.)
As you said this is only happening within the server local container network. If a person has access to that, that person has numerous ways to get a user's password. For example just adding a console.log() in the code which validates the password. I don't really see how the security is improved by making the local connection using locally available certificates.
I have pondered adding CapDrop
NET_RAWin the past to all our containers but this will break some tools like
ping. But the real reason I haven't added it is that because as @nebulon said, if user gets access to container network, then all is lost already. This is why in our previous release, we started making sure that apps that use the
dockeraddon can can only be installed by
ownerprivileges (i.e a user who already has ssh access).
One attack I can think of is if the app container image is itself compromised. Atleast, right now, all app images are personally tested by us and we only install upstream apt packages and we don't allow 3rd party packagers. So, maybe dropping NET_RAW is worth it for future proofing. AFAIK, this won't break anything.
@will Just wanted to follow up on this. I did end up removing
NET_RAWcaps from the app containers in 5.2. So, containers cannot sniff each other's traffic anymore.
@girish Thanks, might be paranoid, but the little things add up.
I think there's a genuine case in the future where if we introduce per-app admins, then app admin can access terminal of one app to see traffic (and sniff ldap/db creds) of another app. I think it's an excellent suggestion to remove it!