From d1fc79dfaa3b320705e4571f8f599343b2b533ee Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Thu, 2 Jan 2025 16:58:05 +0000 Subject: [PATCH] Docker: run as non-root --- Dockerfile | 16 +++++++++++++++- docs/install.md | 6 ++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 3cab540bb77..c10e525c37e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Builder -FROM --platform=$BUILDPLATFORM node:22-bullseye as builder +FROM --platform=$BUILDPLATFORM node:22-bullseye AS builder # Support custom branch of the js-sdk. This also helps us build images of element-web develop. ARG USE_CUSTOM_SDKS=false @@ -25,8 +25,22 @@ COPY --from=builder /src/webapp /app # through `envsubst` by the nginx docker image entry point. COPY /docker/nginx-templates/* /etc/nginx/templates/ +# Override main nginx config, to make it suitable for use with non-root user +RUN sed -i \ + -e '/user *nginx;/d' \ + -e 's,/var/run/nginx.pid,/tmp/nginx.pid,' \ + -e "/^http {/a \ proxy_temp_path /tmp/proxy_temp;\n client_body_temp_path /tmp/client_temp;\n fastcgi_temp_path /tmp/fastcgi_temp;\n uwsgi_temp_path /tmp/uwsgi_temp;\n scgi_temp_path /tmp/scgi_temp;\n" \ + /etc/nginx/nginx.conf + +# nginx user must own the cache and etc directory to write cache and tweak the nginx config +RUN chown -R nginx:0 /var/cache/nginx /etc/nginx +RUN chmod -R g+w /var/cache/nginx /etc/nginx + RUN rm -rf /usr/share/nginx/html \ && ln -s /app /usr/share/nginx/html +# Run as nginx user by default +USER nginx + # HTTP listen port ENV ELEMENT_WEB_PORT=80 diff --git a/docs/install.md b/docs/install.md index 7830324ffc5..f6bd98611cb 100644 --- a/docs/install.md +++ b/docs/install.md @@ -60,6 +60,12 @@ would be: docker run --rm -p 127.0.0.1:80:80 -v /etc/element-web/config.json:/app/config.json vectorim/element-web ``` +The Docker image is configured to run as an unprivileged (non-root) user by +default. This should be fine on modern Docker runtimes, but binding to port 80 +on other runtimes may require root privileges. To resolve this, either run the +image as root (`docker run --user 0`) or, better, change the port that nginx +listens on via the `ELEMENT_WEB_PORT` environment variable. + The behaviour of the docker image can be customised via the following environment variables: