From 294c31d19e0832503a163db894d9bc00fa949a5f Mon Sep 17 00:00:00 2001 From: Asif Bacchus Date: Thu, 7 Jan 2021 07:03:57 -0700 Subject: [PATCH] feature(DOCKERFILE): run as limited user - remove ability to specify username - hardcode username to www-docker - run as www-docker --- build/Dockerfile | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index c35eaa2..6c4199d 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,19 +1,18 @@ FROM nginx:mainline-alpine # default username and uid for nginx user -ARG USER=www-docker ARG UID=8001 # create nginx user -RUN addgroup --gid ${UID} ${USER} \ +RUN addgroup --gid ${UID} www-docker \ && adduser \ --disabled-password \ --gecos 'nginx docker system user' \ --home '/usr/share/nginx/html' \ - --ingroup ${USER} \ + --ingroup www-docker \ --no-create-home \ --uid ${UID} \ - ${USER} + www-docker # add nano, fun error pages & LetsEncrypt challenge directory outside webroot RUN apk --no-cache add nano \ @@ -49,13 +48,14 @@ COPY webroot /usr/share/nginx/html/ # expose ports EXPOSE 80 443 -# clean-up permissions +# clean-up permissions and run as nginx user RUN chown -R ${USER}:${USER} /usr/share/nginx/html \ && find /usr/share/nginx/html -type d -exec chmod 775 {} \; \ && find /usr/share/nginx/html -type f -exec chmod 664 {} \; \ && chown -R ${USER}:${USER} /etc/nginx \ && find /etc/nginx -type d -exec chmod 770 {} \; \ && find /etc/nginx -type f -exec chmod 660 {} \; +USER www-docker # default environment variables ENV TZ=Etc/UTC @@ -75,7 +75,7 @@ CMD [ "nginx", "-g", "daemon off;" ] # add build date and version labels ARG BUILD_DATE LABEL org.opencontainers.image.version="1.19.6" -LABEL app.asifbacchus.docker.internalVersion="3.0" +LABEL app.asifbacchus.docker.internalVersion="3.1" LABEL org.opencontainers.image.created=${BUILD_DATE} #EOF \ No newline at end of file