From c890ece996c24e35c626aebceb380156316615b7 Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Sat, 17 Apr 2021 16:46:24 +0200 Subject: [PATCH] set non-root user at build-time --- Dockerfile | 10 ++++++++-- rootfs/usr/local/bin/run | 14 +++----------- 2 files changed, 11 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5c78041..0d93809 100644 --- a/Dockerfile +++ b/Dockerfile @@ -91,12 +91,18 @@ RUN wget -q https://unofficial-builds.nodejs.org/download/release/v$NODE_VERSION # Clean && npm -g --force cache clean && yarn cache clean \ && apk del build-dependencies \ - && rm -rf /var/cache/apk/* /tmp/src + && rm -rf /var/cache/apk/* /tmp/src \ -COPY rootfs / +# Create mastodon user \ + && adduser -g ${GID} -u ${UID} --disabled-password --gecos "" mastodon \ + && chown -R mastodon:mastodon /mastodon + +COPY --chown=mastodon:mastodon rootfs / RUN chmod +x /usr/local/bin/* /etc/s6.d/*/* /etc/s6.d/.s6-svscan/* +USER mastodon + VOLUME /mastodon/public/system /mastodon/log EXPOSE 3000 4000 diff --git a/rootfs/usr/local/bin/run b/rootfs/usr/local/bin/run index f17bc79..584aa42 100644 --- a/rootfs/usr/local/bin/run +++ b/rootfs/usr/local/bin/run @@ -23,22 +23,14 @@ Web : /mastodon/log/web.log --------------------------------------------- " -echo "Creating mastodon user..." -addgroup -g ${GID} mastodon &>/dev/null -adduser -h /mastodon -s /bin/sh -D -G mastodon -u ${UID} mastodon &>/dev/null - -echo "Updating permissions, this can take a while..." -find /mastodon -path /mastodon/public/system -prune -o -print0 | xargs -0 chown -f mastodon:mastodon -chown -R mastodon:mastodon /etc/s6.d - if [ "$RUN_DB_MIGRATIONS" == "true" ]; then echo "Running database migrations task..." - su-exec mastodon:mastodon bundle exec rake db:migrate + bundle exec rake db:migrate fi echo "Executing process(es)..." if [ '$@' == '' ]; then - exec su-exec mastodon:mastodon /bin/s6-svscan /etc/s6.d + exec /bin/s6-svscan /etc/s6.d else - exec su-exec mastodon:mastodon "$@" + exec "$@" fi