don't run rt as root user

netsandbox · Jan 7, 2025 · 8dffba7 · 8dffba7
1 parent b4de5b9
commit 8dffba7
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 5 deletions.
diff --git a/4.4/Dockerfile b/4.4/Dockerfile
@@ -8,6 +8,8 @@ LABEL org.opencontainers.image.authors="Christian Loos <[email protected]>"
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
+RUN groupadd --gid 1000 --system rt && useradd --uid 1000 --gid rt --system --home-dir /opt/rt rt
+
 WORKDIR /usr/local/src
 
 # hadolint ignore=DL3003,SC2174
@@ -33,7 +35,8 @@ RUN curl -fsSL -o rt.tar.gz https://download.bestpractical.com/pub/rt/release/rt
   && make install \
   && mkdir --mode=0600 --parents /opt/rt/var/data/{gpg,smime} \
   && make initialize-database \
-  && cd .. && rm -rf /usr/local/src/*
+  && cd .. && rm -rf /usr/local/src/* \
+  && chown -R rt:rt /opt/rt
 
 WORKDIR /opt/rt
 COPY RT_SiteConfig.pm etc/
@@ -43,5 +46,7 @@ VOLUME /opt/rt
 COPY docker-entrypoint.sh /usr/local/bin/
 ENTRYPOINT ["docker-entrypoint.sh"]
 
+USER rt
+
 EXPOSE 80
 CMD ["/opt/rt/sbin/rt-server"]
diff --git a/5.0/Dockerfile b/5.0/Dockerfile
@@ -8,6 +8,8 @@ LABEL org.opencontainers.image.authors="Christian Loos <[email protected]>"
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
+RUN groupadd --gid 1000 --system rt && useradd --uid 1000 --gid rt --system --home-dir /opt/rt rt
+
 WORKDIR /usr/local/src
 
 # hadolint ignore=DL3003,SC2174
@@ -33,7 +35,8 @@ RUN curl -fsSL -o rt.tar.gz https://download.bestpractical.com/pub/rt/release/rt
   && make install \
   && mkdir --mode=0600 --parents /opt/rt/var/data/{gpg,smime} \
   && make initialize-database \
-  && cd .. && rm -rf /usr/local/src/*
+  && cd .. && rm -rf /usr/local/src/* \
+  && chown -R rt:rt /opt/rt
 
 WORKDIR /opt/rt
 COPY RT_SiteConfig.pm etc/
@@ -43,5 +46,7 @@ VOLUME /opt/rt
 COPY docker-entrypoint.sh /usr/local/bin/
 ENTRYPOINT ["docker-entrypoint.sh"]
 
+USER rt
+
 EXPOSE 80
 CMD ["/opt/rt/sbin/rt-server"]
diff --git a/Dockerfile.template b/Dockerfile.template
@@ -8,6 +8,8 @@ LABEL org.opencontainers.image.authors="Christian Loos <[email protected]>"
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
+RUN groupadd --gid 1000 --system rt && useradd --uid 1000 --gid rt --system --home-dir /opt/rt rt
+
 WORKDIR /usr/local/src
 
 # hadolint ignore=DL3003,SC2174
@@ -35,7 +37,8 @@ RUN curl -fsSL -o rt.tar.gz %%RT_URL%% \
   && make install \
   && mkdir --mode=0600 --parents /opt/rt/var/data/{gpg,smime} \
   && make initialize-database \
-  && cd .. && rm -rf /usr/local/src/*
+  && cd .. && rm -rf /usr/local/src/* \
+  && chown -R rt:rt /opt/rt
 
 WORKDIR /opt/rt
 COPY RT_SiteConfig.pm etc/
@@ -45,5 +48,7 @@ VOLUME /opt/rt
 COPY docker-entrypoint.sh /usr/local/bin/
 ENTRYPOINT ["docker-entrypoint.sh"]
 
+USER rt
+
 EXPOSE 80
 CMD ["/opt/rt/sbin/rt-server"]
diff --git a/master/Dockerfile b/master/Dockerfile
@@ -8,6 +8,8 @@ LABEL org.opencontainers.image.authors="Christian Loos <[email protected]>"
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
+RUN groupadd --gid 1000 --system rt && useradd --uid 1000 --gid rt --system --home-dir /opt/rt rt
+
 WORKDIR /usr/local/src
 
 # hadolint ignore=DL3003,SC2174
@@ -35,7 +37,8 @@ RUN curl -fsSL -o rt.tar.gz https://github.com/bestpractical/rt/archive/refs/hea
   && make install \
   && mkdir --mode=0600 --parents /opt/rt/var/data/{gpg,smime} \
   && make initialize-database \
-  && cd .. && rm -rf /usr/local/src/*
+  && cd .. && rm -rf /usr/local/src/* \
+  && chown -R rt:rt /opt/rt
 
 WORKDIR /opt/rt
 COPY RT_SiteConfig.pm etc/
@@ -45,5 +48,7 @@ VOLUME /opt/rt
 COPY docker-entrypoint.sh /usr/local/bin/
 ENTRYPOINT ["docker-entrypoint.sh"]
 
+USER rt
+
 EXPOSE 80
 CMD ["/opt/rt/sbin/rt-server"]
diff --git a/stable/Dockerfile b/stable/Dockerfile
@@ -8,6 +8,8 @@ LABEL org.opencontainers.image.authors="Christian Loos <[email protected]>"
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
+RUN groupadd --gid 1000 --system rt && useradd --uid 1000 --gid rt --system --home-dir /opt/rt rt
+
 WORKDIR /usr/local/src
 
 # hadolint ignore=DL3003,SC2174
@@ -35,7 +37,8 @@ RUN curl -fsSL -o rt.tar.gz https://github.com/bestpractical/rt/archive/refs/hea
   && make install \
   && mkdir --mode=0600 --parents /opt/rt/var/data/{gpg,smime} \
   && make initialize-database \
-  && cd .. && rm -rf /usr/local/src/*
+  && cd .. && rm -rf /usr/local/src/* \
+  && chown -R rt:rt /opt/rt
 
 WORKDIR /opt/rt
 COPY RT_SiteConfig.pm etc/
@@ -45,5 +48,7 @@ VOLUME /opt/rt
 COPY docker-entrypoint.sh /usr/local/bin/
 ENTRYPOINT ["docker-entrypoint.sh"]
 
+USER rt
+
 EXPOSE 80
 CMD ["/opt/rt/sbin/rt-server"]