From 9c09978ecd3673df7c3984502f0f25bfade70f26 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 28 Jan 2019 15:57:57 +0200 Subject: [PATCH] Update changelog --- CHANGELOG.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d3539962..be257ddd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,13 +4,10 @@ To improve security, this playbook no longer starts container processes as the `root` user. -Usually, most containers were dropping privileges anyway, but by the time they do that, we were trusting them with `root` privileges. +Most containers were dropping privileges anyway, but we were trusting them with `root` privileges until they would do that. Not anymore -- container processes now start as a non-root user (usually `matrix`) from the get-go. -The only images that we still start as `root` and trust to drop privileges are the optional bridge extensions (disabled by default): - -- [tulir/mautrix-telegram](https://hub.docker.com/r/tulir/mautrix-telegram) -- [tulir/mautrix-whatsapp](https://hub.docker.com/r/tulir/mautrix-whatsapp) +For additional security, various [capabilities are also dropped](https://github.com/projectatomic/atomic-site/issues/203) for all containers. ## matrix-mailer is now based on Exim, not Postfix