Use sudo to drop perms to non-root

This commit is contained in:
Zedifus 2022-03-07 01:51:25 +00:00
parent cc52fdeb83
commit 57bdeac2c2
2 changed files with 29 additions and 5 deletions

View File

@ -8,13 +8,14 @@ LABEL maintainer="Dockerfile created by Zedifus <https://gitlab.com/zedifus>"
ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true
# Create non-root user & required dirs # Create non-root user & required dirs
RUN useradd -M crafty \ RUN useradd -g root -M crafty \
&& mkdir /commander \ && mkdir /commander \
&& chown -R crafty:root /commander && chown -R crafty:root /commander
# Install required system packages # Install required system packages
RUN apt-get update \ RUN apt-get update \
&& apt-get -y --no-install-recommends install \ && apt-get -y --no-install-recommends install \
sudo \
gcc \ gcc \
python3 \ python3 \
python3-dev \ python3-dev \
@ -38,6 +39,7 @@ RUN python3 -m venv ./.venv \
&& pip3 install --no-cache-dir --upgrade setuptools==50.3.2 pip==22.0.3 \ && pip3 install --no-cache-dir --upgrade setuptools==50.3.2 pip==22.0.3 \
&& pip3 install --no-cache-dir -r requirements.txt \ && pip3 install --no-cache-dir -r requirements.txt \
&& deactivate && deactivate
USER root
# Copy Source w/ perms & prepare default config from example # Copy Source w/ perms & prepare default config from example
COPY --chown=crafty:root ./ ./ COPY --chown=crafty:root ./ ./

View File

@ -2,10 +2,32 @@
# Check if config exists from existing installation (venv or previous docker launch) # Check if config exists from existing installation (venv or previous docker launch)
if [ ! "$(ls -A --ignore=.gitkeep ./app/config)" ]; then if [ ! "$(ls -A --ignore=.gitkeep ./app/config)" ]; then
mkdir ./app/config/ echo "Wrapper | Config not found, pulling defaults..."
mkdir ./app/config/ 2> /dev/null
cp -r ./app/config_original/* ./app/config/ cp -r ./app/config_original/* ./app/config/
fi fi
# Activate our prepared venv and launch crafty with provided args
. .venv/bin/activate if [ $(id -u) -eq 0 ]; then
# We're running as root;
# Need to ensure all dirs are owned by the root group,
# This fixes bind mounts that may have incorrect perms.
# Look for files & dirs that require group permissions to be fixed
echo "Wrapper | Looking for problem bind mount permissions"
find . ! -group root -exec chgrp root {} \;
find . ! -perm g+rw -exec chmod g+rw {} \;
find . -type d ! -perm g+s -exec chmod g+s {} \;
# Switch user, activate our prepared venv and lauch crafty
args="$@"
echo "Wrapper | Launching crafty with [$args]"
exec sudo -u crafty bash -c "source ./.venv/bin/activate && exec python3 main.py $args"
else
# Activate our prepared venv
echo "Wrapper | Non-root host detected, using normal exec"
. ./.venv/bin/activate
# Use exec as our perms are already correct
# This is likely if using Kubernetes/OpenShift etc
exec python3 main.py $@ exec python3 main.py $@
fi