Use sudo to drop perms to non-root

2024-08-30 18:23:09 +00:00 · 2022-03-07 01:51:25 +00:00 · 2022-03-07 01:51:25 +00:00 · 57bdeac2c2
commit 57bdeac2c2
parent cc52fdeb83
2 changed files with 29 additions and 5 deletions
--- a/4
+++ b/4
@ -8,13 +8,14 @@ LABEL maintainer="Dockerfile created by Zedifus <https://gitlab.com/zedifus>"
 ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true

 # Create non-root user & required dirs
-RUN useradd -M crafty \
+RUN useradd -g root -M crafty \
    && mkdir /commander \
    && chown -R crafty:root /commander

 # Install required system packages
 RUN apt-get update \
    && apt-get -y --no-install-recommends install \
+        sudo \
        gcc \
        python3 \
        python3-dev \
@ -38,6 +39,7 @@ RUN python3 -m venv ./.venv \
    && pip3 install --no-cache-dir --upgrade setuptools==50.3.2 pip==22.0.3 \
    && pip3 install --no-cache-dir -r requirements.txt \
    && deactivate
+USER root

 # Copy Source w/ perms & prepare default config from example
 COPY --chown=crafty:root ./ ./
--- a/docker_launcher.sh
+++ b/docker_launcher.sh
@ -2,10 +2,32 @@

 # Check if config exists from existing installation (venv or previous docker launch)
 if [ ! "$(ls -A --ignore=.gitkeep ./app/config)" ]; then
-    mkdir ./app/config/
+    echo "Wrapper | Config not found, pulling defaults..."
+    mkdir ./app/config/ 2> /dev/null
    cp -r ./app/config_original/* ./app/config/
 fi

-# Activate our prepared venv and launch crafty with provided args
-. .venv/bin/activate
-exec python3 main.py $@
+
+if [ $(id -u) -eq 0 ]; then
+    # We're running as root;
+    # Need to ensure all dirs are owned by the root group,
+    # This fixes bind mounts that may have incorrect perms.
+
+    # Look for files & dirs that require group permissions to be fixed
+    echo "Wrapper | Looking for problem bind mount permissions"
+    find . ! -group root -exec chgrp root {} \;
+    find . ! -perm g+rw -exec chmod g+rw {} \;
+    find . -type d ! -perm g+s -exec chmod g+s {} \;
+
+    # Switch user, activate our prepared venv and lauch crafty
+    args="$@"
+    echo "Wrapper | Launching crafty with [$args]"
+    exec sudo -u crafty bash -c "source ./.venv/bin/activate && exec python3 main.py $args"
+else
+    # Activate our prepared venv
+    echo "Wrapper | Non-root host detected, using normal exec"
+    . ./.venv/bin/activate
+    # Use exec as our perms are already correct
+    # This is likely if using Kubernetes/OpenShift etc
+    exec python3 main.py $@
+fi