gosu carries many CVE and appears unused

[jrwren]

Would you be open to a patch which removes the unused gosu?

[yosifkit]

1. gosu is not actually vulnerable to any of those CVEs: https://github.com/tianon/gosu/blob/a1f38cab3a132e996dc4972605ec91e8650d4859/SECURITY.md
2. No, it cannot be removed since it is used in the entrypoint to step down from root when running Redis
   https://github.com/docker-library/redis/blob/7487c7847c77730da6eea7cd5cfbd235eb2b6628/docker-entrypoint.sh#L11-L14

[jrwren]

I realize it isn't a real vulnerability, but it shows as a HIGH score CVE in scan tools. Millions of man hours at workplaces all around the world have been wasted at trying to document around these false positive vulnerability scans. The gosu author refuses to make a release. An alternative is to remove gosu. Is there a reason su from util-linux or busybox can't be used instead?

[anonyknight]

Can we use su-exec to achieve the similar result?

https://gist.github.com/StevenACoffman/41fee08e8782b411a4a26b9700ad7af5

[tianon]

There's an outstanding parser bug in su-exec that means it falls back to silently running as root if you typo the username that's been fixed for five years but there hasn't been a new release in all that time. I sure wouldn't recommend it (and certainly wouldn't approve any new PRs adding it).

[jrwren]

Can runuser (as suggested in the su man page) work?

Aren't these equivalent?

exec gosu redis "$0" "$@" 

and

exec runuser  -u redis -- "$0" "$@"

edit: ugh, never mind. Now I see runuser is from util-linux, but alpine/busybox do not have an equivalent.

edit2: maybe apk add runuser?

even with all of the deps it is still smaller (1416kb) than gosu (2250kb)

update: never mind. The semantics of runuser are not the same as gosu and rather than exec it does fork and exec.