From eb94d04c79334a459faba233253f2eed546394e6 Mon Sep 17 00:00:00 2001 From: FL42 <46161216+fl42@users.noreply.github.com> Date: Sun, 22 Nov 2020 14:16:06 +0100 Subject: [PATCH 1/5] fix: run api as signal-api user, fix permissions on startup --- Dockerfile | 6 +++++- entrypoint.sh | 10 ++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100755 entrypoint.sh diff --git a/Dockerfile b/Dockerfile index 31b777f..e6ebcfb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -41,8 +41,12 @@ RUN cd /tmp/signal-cli-rest-api-src && swag init && go build # Start a fresh container for release container FROM adoptopenjdk:11-jre-hotspot +RUN groupadd -g 1000 signal-api \ + && useradd -M -d /home -s /bin/bash -u 1000 -g 1000 signal-api + COPY --from=buildcontainer /tmp/signal-cli-rest-api-src/signal-cli-rest-api /usr/bin/signal-cli-rest-api COPY --from=buildcontainer /tmp/signal-cli /opt/signal-cli +COPY entrypoint.sh /entrypoint.sh RUN ln -s /opt/signal-cli/bin/signal-cli /usr/bin/signal-cli RUN mkdir -p /signal-cli-config/ @@ -50,4 +54,4 @@ RUN mkdir -p /home/.local/share/signal-cli EXPOSE 8080 -ENTRYPOINT ["signal-cli-rest-api"] +ENTRYPOINT ["/entrypoint.sh"] diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 0000000..cc6b4da --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +set -x +set -e + +# Fix permissions to ensure backward compatibility +chown 1000:1000 -R /home/.local/share/signal-cli + +# Start API +exec su -s /bin/sh -c "exec signal-cli-rest-api" signal-api From 486f47995fe2200a319cb8ccf5ba8cfa30703936 Mon Sep 17 00:00:00 2001 From: FL42 <46161216+fl42@users.noreply.github.com> Date: Fri, 27 Nov 2020 22:29:45 +0100 Subject: [PATCH 2/5] refactor: use one RUN statement --- Dockerfile | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index e6ebcfb..549fa9f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -41,16 +41,15 @@ RUN cd /tmp/signal-cli-rest-api-src && swag init && go build # Start a fresh container for release container FROM adoptopenjdk:11-jre-hotspot -RUN groupadd -g 1000 signal-api \ - && useradd -M -d /home -s /bin/bash -u 1000 -g 1000 signal-api - COPY --from=buildcontainer /tmp/signal-cli-rest-api-src/signal-cli-rest-api /usr/bin/signal-cli-rest-api COPY --from=buildcontainer /tmp/signal-cli /opt/signal-cli COPY entrypoint.sh /entrypoint.sh -RUN ln -s /opt/signal-cli/bin/signal-cli /usr/bin/signal-cli -RUN mkdir -p /signal-cli-config/ -RUN mkdir -p /home/.local/share/signal-cli +RUN groupadd -g 1000 signal-api \ + && useradd -M -d /home -s /bin/bash -u 1000 -g 1000 signal-api \ + && ln -s /opt/signal-cli/bin/signal-cli /usr/bin/signal-cli \ + && mkdir -p /signal-cli-config/ \ + && mkdir -p /home/.local/share/signal-cli EXPOSE 8080 From 48448cdca1da1e9f11b3c0333aecaf414f94c141 Mon Sep 17 00:00:00 2001 From: FL42 <46161216+fl42@users.noreply.github.com> Date: Fri, 27 Nov 2020 22:29:59 +0100 Subject: [PATCH 3/5] feat: show warning when exec in container --- entrypoint.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index cc6b4da..a596994 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -6,5 +6,11 @@ set -e # Fix permissions to ensure backward compatibility chown 1000:1000 -R /home/.local/share/signal-cli -# Start API +# Show warning on docker exec +cat <> /root/.bashrc +echo "WARNING: signal-cli-rest-api runs as signal-api (not as root!)" +echo "Run 'su signal-api' before using signal-cli!" +EOF + +# Start API as signal-api user exec su -s /bin/sh -c "exec signal-cli-rest-api" signal-api From 8d3e11941e714e3010f8bfbe7a6574959d738341 Mon Sep 17 00:00:00 2001 From: FL42 <46161216+fl42@users.noreply.github.com> Date: Fri, 27 Nov 2020 22:32:53 +0100 Subject: [PATCH 4/5] fix: propagate args --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index a596994..fbae9e3 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -13,4 +13,4 @@ echo "Run 'su signal-api' before using signal-cli!" EOF # Start API as signal-api user -exec su -s /bin/sh -c "exec signal-cli-rest-api" signal-api +exec su -s /bin/sh -c "exec signal-cli-rest-api $@" signal-api From cce3f4772267e8de1b83f0779c4ed3a07deb4f3f Mon Sep 17 00:00:00 2001 From: FL42 <46161216+fl42@users.noreply.github.com> Date: Fri, 27 Nov 2020 23:31:48 +0100 Subject: [PATCH 5/5] refactor: use setpriv instead of su --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index fbae9e3..1439eb8 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -13,4 +13,4 @@ echo "Run 'su signal-api' before using signal-cli!" EOF # Start API as signal-api user -exec su -s /bin/sh -c "exec signal-cli-rest-api $@" signal-api +exec setpriv --reuid=1000 --regid=1000 --init-groups --inh-caps=-all signal-cli-rest-api $@