docker: Run as unprivileged user

Processes in containers should not run as root.
This change creates an unprivileged user in the Docker container, and
runs the main process using that user.

References:
* https://en.wikipedia.org/wiki/Principle_of_least_privilege
* https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b
* https://www.twistlock.com/labs-blog/non-root-containers-kubernetes-cve-2019-11245-care/

Fixes https://github.com/ether/etherpad-lite/issues/3629
pull/3656/head
Pierre Prinetti 2019-09-30 10:07:14 +02:00 committed by muxator
parent bf7c7241fc
commit eea99fe507
1 changed files with 11 additions and 0 deletions

View File

@ -61,5 +61,16 @@ RUN for PLUGIN_NAME in ${ETHERPAD_PLUGINS}; do npm install "${PLUGIN_NAME}"; don
# https://stackoverflow.com/questions/31528384/conditional-copy-add-in-dockerfile#46801962 # https://stackoverflow.com/questions/31528384/conditional-copy-add-in-dockerfile#46801962
COPY ./settings.json /opt/etherpad-lite/ COPY ./settings.json /opt/etherpad-lite/
# Follow the principle of least privilege: run as unprivileged user.
#
# Running as non-root enables running this image in platforms like OpenShift
# that do not allow images running as root.
RUN \
echo 'etherpad:x:65534:65534:etherpad:/:' > /etc/passwd && \
echo 'etherpad:x:65534:' > /etc/group && \
chown -R etherpad:etherpad ./
USER etherpad
EXPOSE 9001 EXPOSE 9001
CMD ["node", "node_modules/ep_etherpad-lite/node/server.js"] CMD ["node", "node_modules/ep_etherpad-lite/node/server.js"]