Recompile gosu with the Latest Go Version
How to mitigate gosu security concerns by recompiling it with a current Go toolchain, plus a multi-stage Docker build pattern to pull the binary into your own images.
Contents
gosu is a small tool for running commands as a different user — like sudo, but designed for Docker containers where you need to drop from root to a non-root user at entrypoint time. The problem: gosu was built with Go 1.18.x, a deprecated version no longer receiving vulnerability fixes.
The fix is straightforward — recompile gosu with a current Go toolchain.
Recompiling gosu
Clone the repo and update the Dockerfile to use a supported Go version:
git clone https://github.com/tianon/gosu.gitOpen the Dockerfile and change the FROM instruction:
FROM golang:1.21.4-bookwormBuild the image:
docker build -t my-gosu-image .Multi-stage build to copy the binary
Once you have a gosu image built with an updated Go version, use a multi-stage build to pull the binary into your actual application image:
# Stage 1: Get gosu from another image
FROM tianon/gosu:latest AS gosu
# Stage 2: Your actual build
FROM your-base-image
ARG PLATFORM
COPY --from=gosu /go/bin/gosu-${PLATFORM} /usr/local/bin/gosu
RUN chmod +x /usr/local/bin/gosuSet PLATFORM to match your target architecture — amd64, arm64, i386, etc.