From b8ed8853cd7c0938abfebe3b307b3b51c78ad7e7 Mon Sep 17 00:00:00 2001 From: Kyle Spearrin Date: Mon, 26 Mar 2018 11:21:03 -0400 Subject: [PATCH] docker as non-root --- src/Admin/Dockerfile | 2 +- src/Api/Dockerfile | 18 ++++++++++++++---- src/Icons/Dockerfile | 14 +++++++++++--- src/Identity/Dockerfile | 15 ++++++++++++--- src/Jobs/crontab | 6 +++--- util/Attachments/Dockerfile | 15 ++++++++++++--- util/MsSql/Dockerfile | 21 +++++++++++++++++---- util/MsSql/crontab | 2 +- util/Nginx/Dockerfile | 14 ++++++++++++-- util/Setup/DockerComposeBuilder.cs | 4 ++-- util/Setup/Dockerfile | 8 ++++++++ util/Setup/NginxConfigBuilder.cs | 22 +++++++++++----------- 12 files changed, 104 insertions(+), 37 deletions(-) diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile index 48627136a..cef14c826 100644 --- a/src/Admin/Dockerfile +++ b/src/Admin/Dockerfile @@ -1,7 +1,6 @@ FROM microsoft/aspnetcore:2.0.5 ENV ASPNETCORE_URLS http://+:5000 - WORKDIR /app EXPOSE 5000 COPY obj/Docker/publish . @@ -9,6 +8,7 @@ COPY entrypoint.sh / RUN groupadd -g 999 bitwarden \ && useradd -r -u 999 -g bitwarden bitwarden \ + && chown -R bitwarden:bitwarden /app \ && mkdir /etc/bitwarden \ && chown -R bitwarden:bitwarden /etc/bitwarden \ && chmod +x /entrypoint.sh \ diff --git a/src/Api/Dockerfile b/src/Api/Dockerfile index 24aeab097..a7aa711d8 100644 --- a/src/Api/Dockerfile +++ b/src/Api/Dockerfile @@ -5,15 +5,25 @@ RUN apt-get update \ cron \ && rm -rf /var/lib/apt/lists/* +ENV ASPNETCORE_URLS http://+:5000 WORKDIR /app -EXPOSE 80 +EXPOSE 5000 COPY obj/Docker/publish/Api . - COPY obj/Docker/publish/Jobs /jobs +COPY entrypoint.sh / + RUN mv /jobs/crontab /etc/cron.d/bitwarden-cron \ && chmod 0644 /etc/cron.d/bitwarden-cron \ && touch /var/log/cron.log -COPY entrypoint.sh / -RUN chmod +x /entrypoint.sh +RUN groupadd -g 999 bitwarden \ + && useradd -r -u 999 -g bitwarden bitwarden \ + && chown -R bitwarden:bitwarden /app \ + && chown -R bitwarden:bitwarden /jobs + && mkdir /etc/bitwarden \ + && chown -R bitwarden:bitwarden /etc/bitwarden \ + && chmod +x /entrypoint.sh \ + && chown bitwarden:bitwarden /entrypoint.sh + +USER bitwarden ENTRYPOINT ["/entrypoint.sh"] diff --git a/src/Icons/Dockerfile b/src/Icons/Dockerfile index cc484bb4e..c39c61982 100644 --- a/src/Icons/Dockerfile +++ b/src/Icons/Dockerfile @@ -12,10 +12,18 @@ RUN curl -L -o iconserver.zip https://github.com/mat/besticon/releases/download/ && unzip iconserver.zip -d /etc/iconserver \ && rm iconserver.* +ENV ASPNETCORE_URLS http://+:5000 WORKDIR /app -EXPOSE 80 +EXPOSE 5000 COPY obj/Docker/publish . - COPY entrypoint.sh / -RUN chmod +x /entrypoint.sh + +RUN groupadd -g 999 bitwarden \ + && useradd -r -u 999 -g bitwarden bitwarden \ + && chown -R bitwarden:bitwarden /app \ + && chown -R bitwarden:bitwarden /etc/iconserver \ + && chmod +x /entrypoint.sh \ + && chown bitwarden:bitwarden /entrypoint.sh + +USER bitwarden ENTRYPOINT ["/entrypoint.sh"] diff --git a/src/Identity/Dockerfile b/src/Identity/Dockerfile index 914d81be5..cef14c826 100644 --- a/src/Identity/Dockerfile +++ b/src/Identity/Dockerfile @@ -1,9 +1,18 @@ FROM microsoft/aspnetcore:2.0.5 +ENV ASPNETCORE_URLS http://+:5000 WORKDIR /app -EXPOSE 80 +EXPOSE 5000 COPY obj/Docker/publish . - COPY entrypoint.sh / -RUN chmod +x /entrypoint.sh + +RUN groupadd -g 999 bitwarden \ + && useradd -r -u 999 -g bitwarden bitwarden \ + && chown -R bitwarden:bitwarden /app \ + && mkdir /etc/bitwarden \ + && chown -R bitwarden:bitwarden /etc/bitwarden \ + && chmod +x /entrypoint.sh \ + && chown bitwarden:bitwarden /entrypoint.sh + +USER bitwarden ENTRYPOINT ["/entrypoint.sh"] diff --git a/src/Jobs/crontab b/src/Jobs/crontab index cdf57842b..f1c07d7a2 100644 --- a/src/Jobs/crontab +++ b/src/Jobs/crontab @@ -1,5 +1,5 @@ -0 * * * * root dotnet /jobs/Jobs.dll -d /jobs -j alive >> /var/log/cron.log 2>&1 -0 */6 * * * root dotnet /jobs/Jobs.dll -d /jobs -j validate-organizations >> /var/log/cron.log 2>&1 -30 */12 * * * root dotnet /jobs/Jobs.dll -d /jobs -j validate-users-premium >> /var/log/cron.log 2>&1 +0 * * * * bitwarden dotnet /jobs/Jobs.dll -d /jobs -j alive >> /var/log/cron.log 2>&1 +0 */6 * * * bitwarden dotnet /jobs/Jobs.dll -d /jobs -j validate-organizations >> /var/log/cron.log 2>&1 +30 */12 * * * bitwarden dotnet /jobs/Jobs.dll -d /jobs -j validate-users-premium >> /var/log/cron.log 2>&1 # An empty line is required at the end of this file for a valid cron file. \ No newline at end of file diff --git a/util/Attachments/Dockerfile b/util/Attachments/Dockerfile index e8879368c..6b44eef88 100644 --- a/util/Attachments/Dockerfile +++ b/util/Attachments/Dockerfile @@ -1,7 +1,16 @@ FROM bitwarden/server -EXPOSE 80 - +ENV ASPNETCORE_URLS http://+:5000 +EXPOSE 5000 COPY entrypoint.sh / -RUN chmod +x /entrypoint.sh + +RUN groupadd -g 999 bitwarden \ + && useradd -r -u 999 -g bitwarden bitwarden \ + && chown -R bitwarden:bitwarden /bitwarden_server \ + && mkdir /etc/bitwarden \ + && chown -R bitwarden:bitwarden /etc/bitwarden \ + && chmod +x /entrypoint.sh \ + && chown bitwarden:bitwarden /entrypoint.sh + +USER bitwarden ENTRYPOINT ["/entrypoint.sh"] diff --git a/util/MsSql/Dockerfile b/util/MsSql/Dockerfile index c6c9d0db8..bcfbfa5e9 100644 --- a/util/MsSql/Dockerfile +++ b/util/MsSql/Dockerfile @@ -5,14 +5,27 @@ RUN apt-get update \ cron \ && rm -rf /var/lib/apt/lists/* +RUN groupadd -g 999 bitwarden \ + && useradd -r -u 999 -g bitwarden bitwarden + COPY crontab /etc/cron.d/bitwarden-cron RUN chmod 0644 /etc/cron.d/bitwarden-cron \ - && touch /var/log/cron.log + && touch /var/log/cron.log \ + && chown bitwarden:bitwarden /var/log/cron.log COPY backup-db.sql / COPY backup-db.sh / -RUN chmod +x /backup-db.sh - COPY entrypoint.sh / -RUN chmod +x /entrypoint.sh + +RUN mkdir /etc/bitwarden \ + && chown -R bitwarden:bitwarden /etc/bitwarden \ + && mkdir /var/opt/mssql \ + && chown -R bitwarden:bitwarden /var/opt/mssql \ + && chmod +x /entrypoint.sh \ + && chmod +x /backup-db.sh \ + && chown bitwarden:bitwarden /entrypoint.sh \ + && chown bitwarden:bitwarden /backup-db.sh \ + && chown bitwarden:bitwarden /backup-db.sql + +USER bitwarden ENTRYPOINT ["/entrypoint.sh"] diff --git a/util/MsSql/crontab b/util/MsSql/crontab index 9b37cd04d..451e14d6b 100644 --- a/util/MsSql/crontab +++ b/util/MsSql/crontab @@ -1,3 +1,3 @@ -0 0 * * * root /backup-db.sh >> /var/log/cron.log 2>&1 +0 0 * * * bitwarden /backup-db.sh >> /var/log/cron.log 2>&1 # An empty line is required at the end of this file for a valid cron file. \ No newline at end of file diff --git a/util/Nginx/Dockerfile b/util/Nginx/Dockerfile index dbde5ebcf..83fdc65f5 100644 --- a/util/Nginx/Dockerfile +++ b/util/Nginx/Dockerfile @@ -3,7 +3,17 @@ FROM nginx:1.12 COPY nginx.conf /etc/nginx COPY proxy.conf /etc/nginx COPY mime.types /etc/nginx - COPY entrypoint.sh / -RUN chmod +x /entrypoint.sh + +RUN groupadd -g 999 bitwarden \ + && useradd -r -u 999 -g bitwarden bitwarden \ + && mkdir /etc/bitwarden \ + && chown -R bitwarden:bitwarden /etc/bitwarden \ + && chmod +x /entrypoint.sh \ + && chown bitwarden:bitwarden /entrypoint.sh \ + && touch /var/run/nginx.pid \ + && chown -R proxytest:proxytest /var/run/nginx.pid \ + && chown -R proxytest:proxytest /var/cache/nginx + +USER bitwarden ENTRYPOINT ["/entrypoint.sh"] diff --git a/util/Setup/DockerComposeBuilder.cs b/util/Setup/DockerComposeBuilder.cs index c28f4f168..ed0108cd8 100644 --- a/util/Setup/DockerComposeBuilder.cs +++ b/util/Setup/DockerComposeBuilder.cs @@ -165,8 +165,8 @@ services: container_name: bitwarden-nginx restart: always ports: - - '{HttpPort}:80' - - '{HttpsPort}:443' + - '{HttpPort}:8080' + - '{HttpsPort}:8081' volumes: - ../nginx:/etc/bitwarden/nginx - ../letsencrypt:/etc/letsencrypt diff --git a/util/Setup/Dockerfile b/util/Setup/Dockerfile index 4b95e2c74..d8ffa49ae 100644 --- a/util/Setup/Dockerfile +++ b/util/Setup/Dockerfile @@ -7,3 +7,11 @@ RUN apt-get update \ WORKDIR /app COPY obj/Docker/publish . + +RUN groupadd -g 999 bitwarden \ + && useradd -r -u 999 -g bitwarden bitwarden \ + && chown -R bitwarden:bitwarden /app \ + && mkdir /bitwarden \ + && chown -R bitwarden:bitwarden /bitwarden + +USER bitwarden diff --git a/util/Setup/NginxConfigBuilder.cs b/util/Setup/NginxConfigBuilder.cs index 20fca628d..b1042c3b7 100644 --- a/util/Setup/NginxConfigBuilder.cs +++ b/util/Setup/NginxConfigBuilder.cs @@ -65,7 +65,7 @@ namespace Bit.Setup if(File.Exists("/bitwarden/nginx/default.conf")) { var confContent = File.ReadAllText("/bitwarden/nginx/default.conf"); - Ssl = confContent.Contains("listen 443 ssl http2;"); + Ssl = confContent.Contains("listen 8081 ssl http2;") || confContent.Contains("listen 443 ssl http2;"); SelfSignedSsl = confContent.Contains("/etc/ssl/self/"); LetsEncrypt = !SelfSignedSsl && confContent.Contains("/etc/letsencrypt/live/"); DiffieHellman = confContent.Contains("/dhparam.pem;"); @@ -98,8 +98,8 @@ namespace Bit.Setup # Parameter:Trusted={Trusted} server {{ - listen 80 default_server; - listen [::]:80 default_server; + listen 8080 default_server; + listen [::]:8080 default_server; server_name {Domain};"); if(Ssl) @@ -108,8 +108,8 @@ server {{ }} server {{ - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 8081 ssl http2; + listen [::]:8081 ssl http2; server_name {Domain}; ssl_certificate {sslPath}/{certFile}; @@ -169,29 +169,29 @@ server {{ sw.WriteLine($@" location / {{ - proxy_pass http://web/; + proxy_pass http://web:5000/; }} location = /app-id.json {{ - proxy_pass http://web/app-id.json; + proxy_pass http://web:5000/app-id.json; proxy_hide_header Content-Type; add_header Content-Type $fido_content_type; }} location /attachments/ {{ - proxy_pass http://attachments/; + proxy_pass http://attachments:5000/; }} location /api/ {{ - proxy_pass http://api/; + proxy_pass http://api:5000/; }} location /identity/ {{ - proxy_pass http://identity/; + proxy_pass http://identity:5000/; }} location /icons/ {{ - proxy_pass http://icons/; + proxy_pass http://icons:5000/; }} location /admin {{