From eea99fe507f114d63b6b11ddcbdee0aed5c79412 Mon Sep 17 00:00:00 2001
From: Pierre Prinetti <pierreprinetti@redhat.com>
Date: Mon, 30 Sep 2019 10:07:14 +0200
Subject: [PATCH] docker: Run as unprivileged user

Processes in containers should not run as root.
This change creates an unprivileged user in the Docker container, and
runs the main process using that user.

References:
* https://en.wikipedia.org/wiki/Principle_of_least_privilege
* https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b
* https://www.twistlock.com/labs-blog/non-root-containers-kubernetes-cve-2019-11245-care/

Fixes https://github.com/ether/etherpad-lite/issues/3629
---
 docker/Dockerfile | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 70872a2b6..469caa23a 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -61,5 +61,16 @@ RUN for PLUGIN_NAME in ${ETHERPAD_PLUGINS}; do npm install "${PLUGIN_NAME}"; don
 #   https://stackoverflow.com/questions/31528384/conditional-copy-add-in-dockerfile#46801962
 COPY ./settings.json /opt/etherpad-lite/
 
+# Follow the principle of least privilege: run as unprivileged user.
+#
+# Running as non-root enables running this image in platforms like OpenShift
+# that do not allow images running as root.
+RUN \
+    echo 'etherpad:x:65534:65534:etherpad:/:' > /etc/passwd && \
+    echo 'etherpad:x:65534:' > /etc/group && \
+    chown -R etherpad:etherpad ./
+
+USER etherpad
+
 EXPOSE 9001
 CMD ["node", "node_modules/ep_etherpad-lite/node/server.js"]