mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-25 01:46:14 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

docker: Run as unprivileged user

Browse source 
Processes in containers should not run as root.
This change creates an unprivileged user in the Docker container, and
runs the main process using that user.

References:
* https://en.wikipedia.org/wiki/Principle_of_least_privilege
* https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b
* https://www.twistlock.com/labs-blog/non-root-containers-kubernetes-cve-2019-11245-care/

Fixes https://github.com/ether/etherpad-lite/issues/3629
This commit is contained in:
Pierre Prinetti 2019-09-30 10:07:14 +02:00 committed by muxator
parent bf7c7241fc
commit eea99fe507
1 changed files with 11 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

11
docker/Dockerfile
View file

@ -61,5 +61,16 @@ RUN for PLUGIN_NAME in ${ETHERPAD_PLUGINS}; do npm install "${PLUGIN_NAME}"; don
# https://stackoverflow.com/questions/31528384/conditional-copy-add-in-dockerfile#46801962 # https://stackoverflow.com/questions/31528384/conditional-copy-add-in-dockerfile#46801962
COPY ./settings.json /opt/etherpad-lite/ COPY ./settings.json /opt/etherpad-lite/
# Follow the principle of least privilege: run as unprivileged user.
#
# Running as non-root enables running this image in platforms like OpenShift
# that do not allow images running as root.
RUN \
echo 'etherpad:x:65534:65534:etherpad:/:' > /etc/passwd && \
echo 'etherpad:x:65534:' > /etc/group && \
chown -R etherpad:etherpad ./
USER etherpad
EXPOSE 9001 EXPOSE 9001
CMD ["node", "node_modules/ep_etherpad-lite/node/server.js"] CMD ["node", "node_modules/ep_etherpad-lite/node/server.js"]