Run Docker image as geoipupdate user rather than root

maxmind · May 5, 2023 · 2590cc5 · 2590cc5
1 parent d25fee9
commit 2590cc5
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,9 @@
 * Added new `--output` flag to print JSON to standard output describing
   the result of the run.
 * Compilation with Go versions before 1.19 is no longer supported.
+* When using the provided Docker images, `geoipupdate` no longer runs
+  as root in the container. Based on pull request by Andreas
+  Grünenfelder. GitHub #200.
 
 ## 5.0.4 (2023-04-17)
 

diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -2,11 +2,14 @@ FROM alpine:3
 
 RUN apk update && \
     apk add jq
+RUN adduser -D -h /var/lib/geoipupdate -u 1000 geoipupdate
 
 COPY geoipupdate /usr/bin/geoipupdate
 COPY docker/entry.sh /usr/bin/entry.sh
 COPY docker/healthcheck.sh /usr/bin/healthcheck.sh
 
 ENTRYPOINT ["/usr/bin/entry.sh"]
 HEALTHCHECK --interval=10s --timeout=10s CMD [ "/usr/bin/healthcheck.sh" ]
+USER geoipupdate
 VOLUME [ "/usr/share/GeoIP" ]
+WORKDIR /var/lib/geoipupdate
diff --git a/docker/entry.sh b/docker/entry.sh
@@ -14,7 +14,7 @@ term_handler() {
 trap 'kill ${!}; term_handler' SIGTERM
 
 pid=0
-conf_file=/etc/GeoIP.conf
+conf_file=/var/lib/geoipupdate/GeoIP.conf
 database_dir=/usr/share/GeoIP
 log_dir="/var/lib/geoipupdate"
 log_file="$log_dir/.healthcheck"