mirror/archivebox
1
0
Fork 0
mirror of https://github.com/pirate/ArchiveBox.git synced 2025-08-24 15:13:03 +02:00
Code Issues Releases Wiki Activity

Updated Security Overview (markdown)

Nick Sweeting
2023-12-17 15:41:35 -08:00
parent 024a84456a
commit a4e4842bf9
1 changed files with 11 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
Security-Overview.md

@@ -42,12 +42,6 @@ If you're importing private links or authenticated content, you probably don't w
<img src="https://i.imgur.com/yDqJc4I.jpg" width="150px" align="right">
> [!TIP]
> Make sure you run Docker commands with `run` instead of `exec` or you'll get a warning! e.g.
> ✅ `docker compose run archivebox manage create superuser`
> *instead of:*
> ❌ `docker compose exec archivebox manage create superuser`
Do not run ArchiveBox as root for a number of reasons:
- Chrome will execute as root and fail immediately because Chrome sandboxing is pointless when the data directory is opened as root (do not set `CHROME_SANDBOX=False` just to bypass that error!)
- All dependencies will be run as root, if any of them have a vulnerability that's exploited by sites you're archiving you're opening yourself up to full system compromise
@@ -63,6 +57,17 @@ chown -R archivebox:archivebox /home/archivebox
sudo -u archivebox archivebox add ...
```
> [!WARNING]
> **Did you try run a command in Docker with `exec` instead of `run` by accident?**
> Make sure you use `docker run` instead of `docker exec` to run ArchiveBox commands.
> `run` automatically takes care of dropping down to the `archivebox` user within Docker e.g.
> ✅ `docker compose run archivebox manage createsuperuser`
> ✅ `docker run -it -v $PWD:/data archivebox/archivebox manage createsuperuser`
> *instead of:*
> ❌ `docker compose exec archivebox manage createsuperuser`
> ❌ `docker exec archivebox manage createsuperuser`
~~If you absolutely must run it as root for some reason, a footgun is provided: you can set [`ALLOW_ROOT=True`](https://github.com/ArchiveBox/ArchiveBox/wiki/Configuration#ALLOW_ROOT) via environment variable or in your ArchiveBox.conf file.~~ This footgun option was removed (I'm sorry, the support burden of helping people who messed up their systems by running everything as root was too high).
<img src="https://i.imgur.com/ca1he6I.png" width="40px" align="right"/>