[PS-2016] Add ability to change UID/GID for Bitwarden unified (#2495)

2025-05-28 14:54:50 -05:00 · 2022-12-13 10:31:19 -05:00 · 2022-12-13 10:31:19 -05:00 · c6fbe8cc44
commit c6fbe8cc44
parent 2469e10110
3 changed files with 28 additions and 18 deletions
--- a/docker-unified/Dockerfile
+++ b/docker-unified/Dockerfile
@ -215,9 +215,6 @@ RUN apk add --update-cache \
    unzip \
    && rm -rf /var/cache/apk/*

-# Create non-root user to run app
-RUN adduser -s /bin/false -D bitwarden
-
 # Create required directories
 RUN mkdir -p /etc/bitwarden/attachments/send
 RUN mkdir -p /etc/bitwarden/data-protection
@ -228,26 +225,17 @@ RUN mkdir -p /etc/supervisor.d
 RUN mkdir -p /var/log/bitwarden
 RUN mkdir -p /var/log/nginx/logs
 RUN mkdir -p /app
-RUN chown -R bitwarden:bitwarden \
-    /app \
-    /etc/bitwarden \
-    /etc/nginx/http.d \
-    /etc/supervisor \
-    /etc/supervisor.d \
-    /var/lib/nginx \
-    /var/log \
-    /run

 # Copy all apps from dotnet-build stage
 WORKDIR /app
-COPY --chown=bitwarden:bitwarden --from=dotnet-build /app ./
+COPY --from=dotnet-build /app ./

 # Copy Web files from web-setup stage
-COPY --chown=bitwarden:bitwarden --from=web-setup /tmp/build /app/Web
+COPY --from=web-setup /tmp/build /app/Web

 # Set up supervisord
-COPY --chown=bitwarden:bitwarden docker-unified/supervisord/*.ini /etc/supervisor.d/
-COPY --chown=bitwarden:bitwarden docker-unified/supervisord/supervisord.conf /etc/supervisor/supervisord.conf
+COPY docker-unified/supervisord/*.ini /etc/supervisor.d/
+COPY docker-unified/supervisord/supervisord.conf /etc/supervisor/supervisord.conf
 RUN rm -f /etc/supervisord.conf

 # Set up nginx
@ -285,5 +273,4 @@ RUN apk add --update-cache \
 VOLUME ["/etc/bitwarden"]

 WORKDIR /app
-USER bitwarden:bitwarden
 ENTRYPOINT ["/entrypoint.sh"]
--- a/docker-unified/entrypoint.sh
+++ b/docker-unified/entrypoint.sh
@ -1,5 +1,14 @@
 #!/bin/sh

+# Set up user group
+GID="${GID:-1000}"
+addgroup -g $GID bitwarden
+GROUP_NAME=$(cat /etc/group | grep ":$GID:" | cut -d ':' -f 1)
+
+# Set up user
+UID="${UID:-1000}"
+adduser -s /bin/false -D -u $UID -G $GROUP_NAME bitwarden
+
 # Translate environment variables for application settings
 VAULT_SERVICE_URI=https://$BW_DOMAIN
 MYSQL_CONNECTION_STRING="server=$BW_DB_SERVER;database=$BW_DB_DATABASE;user=$BW_DB_USERNAME;password=$BW_DB_PASSWORD"
@ -78,4 +87,14 @@ sed -i "s/autostart=true/autostart=${BW_ENABLE_NOTIFICATIONS}/" /etc/supervisor.
 sed -i "s/autostart=true/autostart=${BW_ENABLE_SCIM}/" /etc/supervisor.d/scim.ini
 sed -i "s/autostart=true/autostart=${BW_ENABLE_SSO}/" /etc/supervisor.d/sso.ini

-exec /usr/bin/supervisord
+chown -R $UID:$GID \
+    /app \
+    /etc/bitwarden \
+    /etc/nginx/http.d \
+    /etc/supervisor \
+    /etc/supervisor.d \
+    /var/lib/nginx \
+    /var/log \
+    /run
+
+su-exec $UID:$GID /usr/bin/supervisord
--- a/docker-unified/settings.env
+++ b/docker-unified/settings.env
@ -23,6 +23,10 @@ BW_INSTALLATION_KEY=xxxxxxxxxxxx
 #####################
 # Learn more here: https://bitwarden.com/help/environment-variables/

+# Container UID/GID
+#UID=1000
+#GID=1000
+
 # Webserver ports
 #BW_PORT_HTTP=8080
 #BW_PORT_HTTPS=8443