Switch to appuser to avoid root (#43)

* Switch to appuser for pip install --------- Signed-off-by: Benoit Donneaux <[email protected]>
LeastAuthority · Jun 15, 2023 · 7540d75 · 7540d75
1 parent e220921
commit 7540d75
Show file tree

Hide file tree

Showing 5 changed files with 79 additions and 3 deletions.
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -44,8 +44,12 @@ jobs:
           MW_RELAY_PORT: 4001
           MW_RELAY_WS_PORT: 4200
         run: |
+          # Start the back-end with the current user ID
+          echo "MW_MAILBOX_UID=$(id -u)" >> .env
+          echo "MW_RELAY_UID=$(id -u)" >> .env
+          mkdir mailbox_database relay_database
           docker-compose -f docker-compose-back.yml up --detach
-          # Wait for the server
+          # Wait for the services
           for try in {1..3}; do
             { nc -w 3 127.0.0.1 ${MW_MAILBOX_PORT} > /dev/null 2>&1 && \
               nc -w 3 127.0.0.1 ${MW_RELAY_PORT} > /dev/null 2>&1 && \

diff --git a/docker-compose-back.yml b/docker-compose-back.yml
@@ -6,6 +6,7 @@ services:
       context: ./mailbox
     environment:
       - MW_MAILBOX_PORT=${MW_MAILBOX_PORT:-4000}
+    user: ${MW_MAILBOX_UID:-1000}
     volumes:
       - "./mailbox_database:/db"
     ports:
@@ -17,6 +18,7 @@ services:
     environment:
       - MW_RELAY_PORT=${MW_RELAY_PORT:-4001}
       - MW_RELAY_WS_PORT=${MW_RELAY_WS_PORT:-4200}
+    user: ${MW_RELAY_UID:-1000}
     volumes:
       - "./relay_database:/db"
     ports:

diff --git a/mailbox/Dockerfile b/mailbox/Dockerfile
@@ -19,6 +19,31 @@ RUN pip install \
     --upgrade \
     -r /app/requirements.txt
 
+# Parameters for default user:group
+ARG uid=1000
+ARG user=appuser
+ARG gid=1000
+ARG group=appgroup
+
+# Add group and user so the command above and its
+# output will be owned by the specified uid:gid
+# These steps will fail explicitely on conflict
+RUN getent group "${gid}" > /dev/null \
+    || groupadd -g "${gid}" "${group}"; \
+    test "$(getent group "${gid}")" = "$(getent group "${group}")" \
+    || { echo "Group name/id conflict!"; exit 1; }
+RUN id "${uid}" > /dev/null 2>&1 \
+    || useradd -md "/home/${user}" -s /bin/bash -g "${group}" -u "${uid}" "${user}"; \
+    test "$(id "${uid}")" = "$(id "${user}")" \
+    || { echo "User name/id conflict!"; exit 1; }
+
+# Prepare directories with ownership
+RUN { test -d /db || mkdir /db; } && chown -R ${user}:${group} /db
+
+# Switch to non-root user
+USER ${user}
+WORKDIR /app
+
 # Copy welcome message as file to load with newlines symbols in parameters
 # FIXME: This motd should not be shipped in this image (configured downstream)
 COPY welcome.motd /app/welcome.motd

diff --git a/relay/Dockerfile b/relay/Dockerfile
@@ -19,6 +19,31 @@ RUN pip install \
     --upgrade \
     -r /app/requirements.txt
 
+# Parameters for default user:group
+ARG uid=1000
+ARG user=appuser
+ARG gid=1000
+ARG group=appgroup
+
+# Add group and user so the command above and its
+# output will be owned by the specified uid:gid
+# These steps will fail explicitely on conflict
+RUN getent group "${gid}" > /dev/null \
+    || groupadd -g "${gid}" "${group}"; \
+    test "$(getent group "${gid}")" = "$(getent group "${group}")" \
+    || { echo "Group name/id conflict!"; exit 1; }
+RUN id "${uid}" > /dev/null 2>&1 \
+    || useradd -md "/home/${user}" -s /bin/bash -g "${group}" -u "${uid}" "${user}"; \
+    test "$(id "${uid}")" = "$(id "${user}")" \
+    || { echo "User name/id conflict!"; exit 1; }
+
+# Prepare directories with ownership
+RUN { test -d /db || mkdir /db; } && chown -R ${user}:${group} /db
+
+# Switch to non-root user
+USER ${user}
+WORKDIR /app
+
 # Default parameters and command to start
 ENV MW_RELAY_BLUR_USAGE="3600"
 ENV MW_RELAY_PROTO="tcp"

diff --git a/wormhole/Dockerfile b/wormhole/Dockerfile
@@ -16,7 +16,27 @@ RUN pip install \
     --upgrade \
     -r /app/requirements.txt
 
-# Default command to start the application
-CMD wormhole
+# Parameters for default user:group
+ARG uid=1000
+ARG user=appuser
+ARG gid=1000
+ARG group=appgroup
+
+# Add group and user so the command above and its
+# output will be owned by the specified uid:gid
+# These steps will fail explicitely on conflict
+RUN getent group "${gid}" > /dev/null \
+    || groupadd -g "${gid}" "${group}"; \
+    test "$(getent group "${gid}")" = "$(getent group "${group}")" \
+    || { echo "Group name/id conflict!"; exit 1; }
+RUN id "${uid}" > /dev/null 2>&1 \
+    || useradd -md "/home/${user}" -s /bin/bash -g "${group}" -u "${uid}" "${user}"; \
+    test "$(id "${uid}")" = "$(id "${user}")" \
+    || { echo "User name/id conflict!"; exit 1; }
 
+# Switch to non-root user
+USER ${user}
 WORKDIR /app
+
+# Default command to start the application
+CMD wormhole