From b8ed8853cd7c0938abfebe3b307b3b51c78ad7e7 Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kyle.spearrin@gmail.com>
Date: Mon, 26 Mar 2018 11:21:03 -0400
Subject: [PATCH] docker as non-root
---
src/Admin/Dockerfile | 2 +-
src/Api/Dockerfile | 18 ++++++++++++++----
src/Icons/Dockerfile | 14 +++++++++++---
src/Identity/Dockerfile | 15 ++++++++++++---
src/Jobs/crontab | 6 +++---
util/Attachments/Dockerfile | 15 ++++++++++++---
util/MsSql/Dockerfile | 21 +++++++++++++++++----
util/MsSql/crontab | 2 +-
util/Nginx/Dockerfile | 14 ++++++++++++--
util/Setup/DockerComposeBuilder.cs | 4 ++--
util/Setup/Dockerfile | 8 ++++++++
util/Setup/NginxConfigBuilder.cs | 22 +++++++++++-----------
12 files changed, 104 insertions(+), 37 deletions(-)
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 48627136a9..cef14c8262 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -1,7 +1,6 @@
FROM microsoft/aspnetcore:2.0.5
ENV ASPNETCORE_URLS http://+:5000
-
WORKDIR /app
EXPOSE 5000
COPY obj/Docker/publish .
@@ -9,6 +8,7 @@ COPY entrypoint.sh /
RUN groupadd -g 999 bitwarden \
&& useradd -r -u 999 -g bitwarden bitwarden \
+ && chown -R bitwarden:bitwarden /app \
&& mkdir /etc/bitwarden \
&& chown -R bitwarden:bitwarden /etc/bitwarden \
&& chmod +x /entrypoint.sh \
diff --git a/src/Api/Dockerfile b/src/Api/Dockerfile
index 24aeab0973..a7aa711d85 100644
--- a/src/Api/Dockerfile
+++ b/src/Api/Dockerfile
@@ -5,15 +5,25 @@ RUN apt-get update \
cron \
&& rm -rf /var/lib/apt/lists/*
+ENV ASPNETCORE_URLS http://+:5000
WORKDIR /app
-EXPOSE 80
+EXPOSE 5000
COPY obj/Docker/publish/Api .
-
COPY obj/Docker/publish/Jobs /jobs
+COPY entrypoint.sh /
+
RUN mv /jobs/crontab /etc/cron.d/bitwarden-cron \
&& chmod 0644 /etc/cron.d/bitwarden-cron \
&& touch /var/log/cron.log
-COPY entrypoint.sh /
-RUN chmod +x /entrypoint.sh
+RUN groupadd -g 999 bitwarden \
+ && useradd -r -u 999 -g bitwarden bitwarden \
+ && chown -R bitwarden:bitwarden /app \
+ && chown -R bitwarden:bitwarden /jobs
+ && mkdir /etc/bitwarden \
+ && chown -R bitwarden:bitwarden /etc/bitwarden \
+ && chmod +x /entrypoint.sh \
+ && chown bitwarden:bitwarden /entrypoint.sh
+
+USER bitwarden
ENTRYPOINT ["/entrypoint.sh"]
diff --git a/src/Icons/Dockerfile b/src/Icons/Dockerfile
index cc484bb4ea..c39c619825 100644
--- a/src/Icons/Dockerfile
+++ b/src/Icons/Dockerfile
@@ -12,10 +12,18 @@ RUN curl -L -o iconserver.zip https://github.com/mat/besticon/releases/download/
&& unzip iconserver.zip -d /etc/iconserver \
&& rm iconserver.*
+ENV ASPNETCORE_URLS http://+:5000
WORKDIR /app
-EXPOSE 80
+EXPOSE 5000
COPY obj/Docker/publish .
-
COPY entrypoint.sh /
-RUN chmod +x /entrypoint.sh
+
+RUN groupadd -g 999 bitwarden \
+ && useradd -r -u 999 -g bitwarden bitwarden \
+ && chown -R bitwarden:bitwarden /app \
+ && chown -R bitwarden:bitwarden /etc/iconserver \
+ && chmod +x /entrypoint.sh \
+ && chown bitwarden:bitwarden /entrypoint.sh
+
+USER bitwarden
ENTRYPOINT ["/entrypoint.sh"]
diff --git a/src/Identity/Dockerfile b/src/Identity/Dockerfile
index 914d81be57..cef14c8262 100644
--- a/src/Identity/Dockerfile
+++ b/src/Identity/Dockerfile
@@ -1,9 +1,18 @@
FROM microsoft/aspnetcore:2.0.5
+ENV ASPNETCORE_URLS http://+:5000
WORKDIR /app
-EXPOSE 80
+EXPOSE 5000
COPY obj/Docker/publish .
-
COPY entrypoint.sh /
-RUN chmod +x /entrypoint.sh
+
+RUN groupadd -g 999 bitwarden \
+ && useradd -r -u 999 -g bitwarden bitwarden \
+ && chown -R bitwarden:bitwarden /app \
+ && mkdir /etc/bitwarden \
+ && chown -R bitwarden:bitwarden /etc/bitwarden \
+ && chmod +x /entrypoint.sh \
+ && chown bitwarden:bitwarden /entrypoint.sh
+
+USER bitwarden
ENTRYPOINT ["/entrypoint.sh"]
diff --git a/src/Jobs/crontab b/src/Jobs/crontab
index cdf57842b8..f1c07d7a21 100644
--- a/src/Jobs/crontab
+++ b/src/Jobs/crontab
@@ -1,5 +1,5 @@
-0 * * * * root dotnet /jobs/Jobs.dll -d /jobs -j alive >> /var/log/cron.log 2>&1
-0 */6 * * * root dotnet /jobs/Jobs.dll -d /jobs -j validate-organizations >> /var/log/cron.log 2>&1
-30 */12 * * * root dotnet /jobs/Jobs.dll -d /jobs -j validate-users-premium >> /var/log/cron.log 2>&1
+0 * * * * bitwarden dotnet /jobs/Jobs.dll -d /jobs -j alive >> /var/log/cron.log 2>&1
+0 */6 * * * bitwarden dotnet /jobs/Jobs.dll -d /jobs -j validate-organizations >> /var/log/cron.log 2>&1
+30 */12 * * * bitwarden dotnet /jobs/Jobs.dll -d /jobs -j validate-users-premium >> /var/log/cron.log 2>&1
# An empty line is required at the end of this file for a valid cron file.
\ No newline at end of file
diff --git a/util/Attachments/Dockerfile b/util/Attachments/Dockerfile
index e8879368c9..6b44eef88a 100644
--- a/util/Attachments/Dockerfile
+++ b/util/Attachments/Dockerfile
@@ -1,7 +1,16 @@
FROM bitwarden/server
-EXPOSE 80
-
+ENV ASPNETCORE_URLS http://+:5000
+EXPOSE 5000
COPY entrypoint.sh /
-RUN chmod +x /entrypoint.sh
+
+RUN groupadd -g 999 bitwarden \
+ && useradd -r -u 999 -g bitwarden bitwarden \
+ && chown -R bitwarden:bitwarden /bitwarden_server \
+ && mkdir /etc/bitwarden \
+ && chown -R bitwarden:bitwarden /etc/bitwarden \
+ && chmod +x /entrypoint.sh \
+ && chown bitwarden:bitwarden /entrypoint.sh
+
+USER bitwarden
ENTRYPOINT ["/entrypoint.sh"]
diff --git a/util/MsSql/Dockerfile b/util/MsSql/Dockerfile
index c6c9d0db81..bcfbfa5e94 100644
--- a/util/MsSql/Dockerfile
+++ b/util/MsSql/Dockerfile
@@ -5,14 +5,27 @@ RUN apt-get update \
cron \
&& rm -rf /var/lib/apt/lists/*
+RUN groupadd -g 999 bitwarden \
+ && useradd -r -u 999 -g bitwarden bitwarden
+
COPY crontab /etc/cron.d/bitwarden-cron
RUN chmod 0644 /etc/cron.d/bitwarden-cron \
- && touch /var/log/cron.log
+ && touch /var/log/cron.log \
+ && chown bitwarden:bitwarden /var/log/cron.log
COPY backup-db.sql /
COPY backup-db.sh /
-RUN chmod +x /backup-db.sh
-
COPY entrypoint.sh /
-RUN chmod +x /entrypoint.sh
+
+RUN mkdir /etc/bitwarden \
+ && chown -R bitwarden:bitwarden /etc/bitwarden \
+ && mkdir /var/opt/mssql \
+ && chown -R bitwarden:bitwarden /var/opt/mssql \
+ && chmod +x /entrypoint.sh \
+ && chmod +x /backup-db.sh \
+ && chown bitwarden:bitwarden /entrypoint.sh \
+ && chown bitwarden:bitwarden /backup-db.sh \
+ && chown bitwarden:bitwarden /backup-db.sql
+
+USER bitwarden
ENTRYPOINT ["/entrypoint.sh"]
diff --git a/util/MsSql/crontab b/util/MsSql/crontab
index 9b37cd04d5..451e14d6b4 100644
--- a/util/MsSql/crontab
+++ b/util/MsSql/crontab
@@ -1,3 +1,3 @@
-0 0 * * * root /backup-db.sh >> /var/log/cron.log 2>&1
+0 0 * * * bitwarden /backup-db.sh >> /var/log/cron.log 2>&1
# An empty line is required at the end of this file for a valid cron file.
\ No newline at end of file
diff --git a/util/Nginx/Dockerfile b/util/Nginx/Dockerfile
index dbde5ebcf7..83fdc65f52 100644
--- a/util/Nginx/Dockerfile
+++ b/util/Nginx/Dockerfile
@@ -3,7 +3,17 @@ FROM nginx:1.12
COPY nginx.conf /etc/nginx
COPY proxy.conf /etc/nginx
COPY mime.types /etc/nginx
-
COPY entrypoint.sh /
-RUN chmod +x /entrypoint.sh
+
+RUN groupadd -g 999 bitwarden \
+ && useradd -r -u 999 -g bitwarden bitwarden \
+ && mkdir /etc/bitwarden \
+ && chown -R bitwarden:bitwarden /etc/bitwarden \
+ && chmod +x /entrypoint.sh \
+ && chown bitwarden:bitwarden /entrypoint.sh \
+ && touch /var/run/nginx.pid \
+ && chown -R proxytest:proxytest /var/run/nginx.pid \
+ && chown -R proxytest:proxytest /var/cache/nginx
+
+USER bitwarden
ENTRYPOINT ["/entrypoint.sh"]
diff --git a/util/Setup/DockerComposeBuilder.cs b/util/Setup/DockerComposeBuilder.cs
index c28f4f1681..ed0108cd82 100644
--- a/util/Setup/DockerComposeBuilder.cs
+++ b/util/Setup/DockerComposeBuilder.cs
@@ -165,8 +165,8 @@ services:
container_name: bitwarden-nginx
restart: always
ports:
- - '{HttpPort}:80'
- - '{HttpsPort}:443'
+ - '{HttpPort}:8080'
+ - '{HttpsPort}:8081'
volumes:
- ../nginx:/etc/bitwarden/nginx
- ../letsencrypt:/etc/letsencrypt
diff --git a/util/Setup/Dockerfile b/util/Setup/Dockerfile
index 4b95e2c74a..d8ffa49ae6 100644
--- a/util/Setup/Dockerfile
+++ b/util/Setup/Dockerfile
@@ -7,3 +7,11 @@ RUN apt-get update \
WORKDIR /app
COPY obj/Docker/publish .
+
+RUN groupadd -g 999 bitwarden \
+ && useradd -r -u 999 -g bitwarden bitwarden \
+ && chown -R bitwarden:bitwarden /app \
+ && mkdir /bitwarden \
+ && chown -R bitwarden:bitwarden /bitwarden
+
+USER bitwarden
diff --git a/util/Setup/NginxConfigBuilder.cs b/util/Setup/NginxConfigBuilder.cs
index 20fca628d5..b1042c3b7b 100644
--- a/util/Setup/NginxConfigBuilder.cs
+++ b/util/Setup/NginxConfigBuilder.cs
@@ -65,7 +65,7 @@ namespace Bit.Setup
if(File.Exists("/bitwarden/nginx/default.conf"))
{
var confContent = File.ReadAllText("/bitwarden/nginx/default.conf");
- Ssl = confContent.Contains("listen 443 ssl http2;");
+ Ssl = confContent.Contains("listen 8081 ssl http2;") || confContent.Contains("listen 443 ssl http2;");
SelfSignedSsl = confContent.Contains("/etc/ssl/self/");
LetsEncrypt = !SelfSignedSsl && confContent.Contains("/etc/letsencrypt/live/");
DiffieHellman = confContent.Contains("/dhparam.pem;");
@@ -98,8 +98,8 @@ namespace Bit.Setup
# Parameter:Trusted={Trusted}
server {{
- listen 80 default_server;
- listen [::]:80 default_server;
+ listen 8080 default_server;
+ listen [::]:8080 default_server;
server_name {Domain};");
if(Ssl)
@@ -108,8 +108,8 @@ server {{
}}
server {{
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
+ listen 8081 ssl http2;
+ listen [::]:8081 ssl http2;
server_name {Domain};
ssl_certificate {sslPath}/{certFile};
@@ -169,29 +169,29 @@ server {{
sw.WriteLine($@"
location / {{
- proxy_pass http://web/;
+ proxy_pass http://web:5000/;
}}
location = /app-id.json {{
- proxy_pass http://web/app-id.json;
+ proxy_pass http://web:5000/app-id.json;
proxy_hide_header Content-Type;
add_header Content-Type $fido_content_type;
}}
location /attachments/ {{
- proxy_pass http://attachments/;
+ proxy_pass http://attachments:5000/;
}}
location /api/ {{
- proxy_pass http://api/;
+ proxy_pass http://api:5000/;
}}
location /identity/ {{
- proxy_pass http://identity/;
+ proxy_pass http://identity:5000/;
}}
location /icons/ {{
- proxy_pass http://icons/;
+ proxy_pass http://icons:5000/;
}}
location /admin {{