Run Docker as a non-root user #24

Open
opened 2024-12-28 03:56:38 +01:00 by natecj · 3 comments

The container currently runs as root which is less than ideal from a security perspective. I believe something like the following would work. I don't have time to test this myself right now, but will try when I do if someone else has not gotten to it first.

ARG USERNAME=bricktracker
ARG USER_UID=1000
ARG USER_GID=$USER_UID

RUN groupadd -g $USER_GID $USERNAME \
    && useradd -m -u $USER_UID -g $USERNAME $USERNAME \
    && chown -R $USER_UID:$USER_GID /app

USER $USERNAME

On a similar note, you could make the HTTP port an environment variable so it can also be overridden:

ENV HTTP_PORT=3333

EXPOSE $HTTP_PORT

CMD ["gunicorn","--bind","0.0.0.0:$HTTP_PORT","app:app","--worker-class","eventlet"]
The container currently runs as root which is less than ideal from a security perspective. I believe something like the following would work. I don't have time to test this myself right now, but will try when I do if someone else has not gotten to it first. ``` ARG USERNAME=bricktracker ARG USER_UID=1000 ARG USER_GID=$USER_UID RUN groupadd -g $USER_GID $USERNAME \ && useradd -m -u $USER_UID -g $USERNAME $USERNAME \ && chown -R $USER_UID:$USER_GID /app USER $USERNAME ``` On a similar note, you could make the HTTP port an environment variable so it can also be overridden: ``` ENV HTTP_PORT=3333 EXPOSE $HTTP_PORT CMD ["gunicorn","--bind","0.0.0.0:$HTTP_PORT","app:app","--worker-class","eventlet"] ```
FrederikBaerentsen added the
Kind/Security
Priority
Low
labels 2024-12-28 10:01:22 +01:00

I agree but this is very low priority for me. This app is meant for local deployment and is not production ready.

I agree but this is very low priority for me. This app is meant for local deployment and is not production ready.
FrederikBaerentsen added this to the General Improvements project 2024-12-29 16:44:01 +01:00
Author

I tested the user changes above and it appears to work without issue and was going to share a PR, but I can't seem to figure out authenticating when I try to push the changes. I'll try again later and hopefully figure it out when I'm not so tired.

I tested the user changes above and it appears to work without issue and was going to share a PR, but I can't seem to figure out authenticating when I try to push the changes. I'll try again later and hopefully figure it out when I'm not so tired.

If you could do a PR that would be great. Got to make sure the existing assets will work after the change to rootless. Especially images, and instructions uploaded while the container is root.

If you could do a PR that would be great. Got to make sure the existing assets will work after the change to rootless. Especially images, and instructions uploaded while the container is root.
Sign in to join this conversation.
No description provided.