SECURITY: Coturn Container Exposed with Writable Filesystem, Breaking Stack-Wide Hardening

A critical security misconfiguration has left the Coturn service in a Docker stack dangerously exposed. While every other service in the deployment—including Redis, Prometheus, and Grafana—is locked down with read-only filesystems and secure `tmpfs` mounts, the Coturn container operates with a fully writable filesystem. This inconsistency creates a glaring weak point, significantly increasing the attack surface for the entire application infrastructure.

The vulnerability is located in the `docker-compose.yml` file between lines 249 and 298, where the Coturn service definition lacks the `read_only: true` flag and corresponding `tmpfs` mounts for directories like `/tmp` and `/var/lib/coturn`. This omission means that if the Coturn service or its underlying Alpine base image is compromised, an attacker gains the ability to write malicious files directly to the container's filesystem. This flaw not only elevates the initial risk of exploitation but also provides a potential foothold for persistence and lateral movement within the compromised environment.

The impact is rated as HIGH severity. The absence of these standard hardening measures represents a fundamental breakdown in security posture, creating an inconsistent and vulnerable entry point. The suggested fix is straightforward—adding the read-only flag and tmpfs configurations—but its absence signals a potentially systemic oversight in container security auditing for this stack, leaving it unnecessarily exposed to a well-understood class of container breakout and persistence attacks.