non-root for mapserver, mapserver-private & jwt-proxy (#592)

* add datapunt user & chown * revert dockerfile edits * add datapunt user & chown * debug perms * debug perms * debug perms * debug perms * debug perms * debug perms * debug perms * debug perms * debug perms * debug perms * debug perms * debug perms * debug perms * debug perms * debug perms * debug perms * debug perms * debug perms * debug perms * debug apache * debug apache * debug apache * debug apache * debug apache * debug apache * debug apache * debug apache * debug apache * set mapserver containerPort to 8080 * debug apache * debug apache * debug Dockerfile.private non-root * debug Dockerfile.private non-root * debug Dockerfile.private non-root * debug vhost port sed to 8080 * debug vhost port sed to 8080 * debug vhost port sed to 8080 * cleanup * cleanup * cleanup * jwt-proxy non-root supervisord
Amsterdam · Sep 4, 2024 · 9caf75f · 9caf75f
1 parent 1417c6c
commit 9caf75f
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 7 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -25,10 +25,18 @@ RUN rm /etc/apache2/mods-enabled/alias.conf
 COPY docker/000-default.conf /etc/apache2/sites-available/
 COPY docker/docker-entrypoint.sh /bin
 
-COPY . /srv/mapserver/
-RUN rm -rf /srv/mapserver/private
+COPY . /srv/mapserver/ 
 COPY epsg /usr/share/proj
 
-EXPOSE 80
+# set apache user id matching ctr user id
+RUN usermod --non-unique --uid 999 www-data
+RUN groupmod -o -g 999 www-data
+RUN mkdir /var/lock/apache2 && mkdir /var/run/apache2 
+RUN chown -R 999:999 /var/lock/apache2 && chown -R 999:999 /var/run/apache2 && chown -R 999:999 /var/log/apache2/
+RUN chown -R 999:999 /srv/ && chown -R 999:999 /etc/apache2/
+RUN rm -rf /srv/mapserver/private
+
+EXPOSE 8080
 
+USER www-data
 CMD /bin/docker-entrypoint.sh
diff --git a/Dockerfile.private b/Dockerfile.private
@@ -4,9 +4,12 @@ FROM ${BASE_IMAGE}
 
 # used by make_mapfile_config.py to include private mapfiles in sld config
 ENV ACCESS_SCOPE private
-
+USER root
 # Copy private mapfiles into the root dir so they will be served
 # Any maps that have a public and private variety will serve the
 # private variety.
 RUN rm -rf /srv/mapserver/private
 COPY /private/ /srv/mapserver/
+RUN chown -R 999:999 /srv/ && chown -R 999:999 /etc/apache2/
+USER www-data
+
diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh
@@ -20,8 +20,6 @@ DATASERVICES_DB_PASSWORD_PATH=${DATASERVICES_DB_PASSWORD_PATH:-'/mnt/secrets-sto
 
 echo Creating configuration files
 
-mkdir -p /srv/mapserver/connection
-
 cat > /srv/mapserver/connection/panorama.inc <<EOF
 CONNECTIONTYPE postgis
 CONNECTION "host=${PANORAMA_DB_HOST} dbname=${PANORAMA_DB_NAME} user=${PANORAMA_DB_USER} password=$(cat ${PANORAMA_DB_PASSWORD_PATH}) port=${PANORAMA_DB_PORT}"
@@ -47,6 +45,9 @@ EOF
 #      https://serverfault.com/questions/711168/writing-apache2-logs-to-stdout-stderr
 sed -i 's/ErrorLog .*/ErrorLog \/dev\/stderr/' /etc/apache2/apache2.conf
 sed -i 's/Timeout 300/Timeout 600/' /etc/apache2/apache2.conf
+# set listen port to non-privileged port
+sed -i '0,/Listen [0-9]*/s//Listen 8080/' /etc/apache2/ports.conf
+sed -i s/\<VirtualHost.*/\<VirtualHost\ \*\:8080\>/ /etc/apache2/sites-enabled/000-default.conf
 
 # Replace actual location of the mapserver depending on the environment   
 shopt -s globstar nullglob

diff --git a/jwtproxy/Dockerfile.prd b/jwtproxy/Dockerfile.prd
@@ -6,7 +6,14 @@ WORKDIR /app
 COPY src jwtproxy 
 COPY requirements.txt .
 
+RUN usermod --non-unique --uid 999 proxy
+RUN groupmod -o -g 999 proxy
+RUN chown -R 999:999 /app
+
 RUN pip install supervisor
 RUN pip install -r requirements.txt
+
 EXPOSE 8000
+
+USER proxy
 ENTRYPOINT [ "/bin/sh", "-c", "/usr/local/bin/supervisord -n"]
diff --git a/jwtproxy/supervisord.conf b/jwtproxy/supervisord.conf
@@ -2,7 +2,7 @@
 loglevel = debug ; when set to debug, supervisord will include stderr/stdout of child processes
 logfile = /dev/stdout
 logfile_maxbytes = 0
-user=root
+user=proxy
 
 [unix_http_server]
 file = /tmp/supervisord.sock