FrederikBaerentsen/BrickTracker
5
10
Fork 6
Code Issues 12 Pull Requests 1 Actions Packages Projects 1 Releases 4 Wiki Activity

Run Docker as a non-root user #24

New Issue
Open
opened 2024-12-28 03:56:38 +01:00 by natecj · 3 comments
natecj commented 2024-12-28 03:56:38 +01:00
Copy Link

The container currently runs as root which is less than ideal from a security perspective. I believe something like the following would work. I don't have time to test this myself right now, but will try when I do if someone else has not gotten to it first.

ARG USERNAME=bricktracker
ARG USER_UID=1000
ARG USER_GID=$USER_UID

RUN groupadd -g $USER_GID $USERNAME \
    && useradd -m -u $USER_UID -g $USERNAME $USERNAME \
    && chown -R $USER_UID:$USER_GID /app

USER $USERNAME

On a similar note, you could make the HTTP port an environment variable so it can also be overridden:

ENV HTTP_PORT=3333

EXPOSE $HTTP_PORT

CMD ["gunicorn","--bind","0.0.0.0:$HTTP_PORT","app:app","--worker-class","eventlet"]
The container currently runs as root which is less than ideal from a security perspective. I believe something like the following would work. I don't have time to test this myself right now, but will try when I do if someone else has not gotten to it first. ``` ARG USERNAME=bricktracker ARG USER_UID=1000 ARG USER_GID=$USER_UID RUN groupadd -g $USER_GID $USERNAME \ && useradd -m -u $USER_UID -g $USERNAME $USERNAME \ && chown -R $USER_UID:$USER_GID /app USER $USERNAME ``` On a similar note, you could make the HTTP port an environment variable so it can also be overridden: ``` ENV HTTP_PORT=3333 EXPOSE $HTTP_PORT CMD ["gunicorn","--bind","0.0.0.0:$HTTP_PORT","app:app","--worker-class","eventlet"] ```
FrederikBaerentsen added the
Kind/Security
Priority
Low
 labels 2024-12-28 10:01:22 +01:00
FrederikBaerentsen commented 2024-12-28 10:02:00 +01:00
Owner
Copy Link

I agree but this is very low priority for me. This app is meant for local deployment and is not production ready.

I agree but this is very low priority for me. This app is meant for local deployment and is not production ready.
FrederikBaerentsen added this to the General Improvements project 2024-12-29 16:44:01 +01:00
natecj commented 2024-12-30 03:16:21 +01:00
Author
Copy Link

I tested the user changes above and it appears to work without issue and was going to share a PR, but I can't seem to figure out authenticating when I try to push the changes. I'll try again later and hopefully figure it out when I'm not so tired.

I tested the user changes above and it appears to work without issue and was going to share a PR, but I can't seem to figure out authenticating when I try to push the changes. I'll try again later and hopefully figure it out when I'm not so tired.
FrederikBaerentsen commented 2024-12-30 08:38:49 +01:00
Owner
Copy Link

If you could do a PR that would be great. Got to make sure the existing assets will work after the change to rootless. Especially images, and instructions uploaded while the container is root.

If you could do a PR that would be great. Got to make sure the existing assets will work after the change to rootless. Especially images, and instructions uploaded while the container is root.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Compat/Breaking
Breaking change that won't be backward compatible
Kind/Bug
Something is not working
Kind/Documentation
Documentation changes
Kind/Enhancement
Improve existing functionality
Kind/Feature
New functionality
Kind/Security
This is security issue
Kind/Testing
Issue or pull request related to testing
Priority
Critical
The priority is critical
Priority
High
The priority is high
Priority
Low
The priority is low
Priority
Medium
The priority is medium
Reviewed
Confirmed
Issue has been confirmed
Reviewed
Duplicate
This issue or pull request already exists
Reviewed
Invalid
Invalid issue
Reviewed
Won't Fix
This issue won't be fixed
Status
Abandoned
Somebody has started to work on this but abandoned work
Status
Blocked
Something is blocking this issue or pull request
Status
Need More Info
Feedback is required to reproduce issue or to continue work
Unraid
Unsupported/Can't help
No Label
Kind/Security
Priority
Low
Milestone
No items
No Milestone
Projects
Clear projects
No project General Improvements
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: FrederikBaerentsen/BrickTracker#24
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?