docker: Run as unprivileged user
Processes in containers should not run as root. This change creates an unprivileged user in the Docker container, and runs the main process using that user. References: * https://en.wikipedia.org/wiki/Principle_of_least_privilege * https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b * https://www.twistlock.com/labs-blog/non-root-containers-kubernetes-cve-2019-11245-care/ Fixes https://github.com/ether/etherpad-lite/issues/3629pull/3656/head
Pierre Prinetti
muxator
parent
bf7c7241fc
commit
eea99fe507
|
|
@ -61,5 +61,16 @@ RUN for PLUGIN_NAME in ${ETHERPAD_PLUGINS}; do npm install "${PLUGIN_NAME}"; don
|
||||||
# https://stackoverflow.com/questions/31528384/conditional-copy-add-in-dockerfile#46801962
|
# https://stackoverflow.com/questions/31528384/conditional-copy-add-in-dockerfile#46801962
|
||||||
COPY ./settings.json /opt/etherpad-lite/
|
COPY ./settings.json /opt/etherpad-lite/
|
||||||
|
|
||||||
|
# Follow the principle of least privilege: run as unprivileged user.
|
||||||
|
#
|
||||||
|
# Running as non-root enables running this image in platforms like OpenShift
|
||||||
|
# that do not allow images running as root.
|
||||||
|
RUN \
|
||||||
|
echo 'etherpad:x:65534:65534:etherpad:/:' > /etc/passwd && \
|
||||||
|
echo 'etherpad:x:65534:' > /etc/group && \
|
||||||
|
chown -R etherpad:etherpad ./
|
||||||
|
|
||||||
|
USER etherpad
|
||||||
|
|
||||||
EXPOSE 9001
|
EXPOSE 9001
|
||||||
CMD ["node", "node_modules/ep_etherpad-lite/node/server.js"]
|
CMD ["node", "node_modules/ep_etherpad-lite/node/server.js"]
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue