From ffcd1cc1588cd10f25ad8bec868868bcaa36eaa1 Mon Sep 17 00:00:00 2001 From: paspo Date: Tue, 18 Jun 2024 09:23:52 +0200 Subject: [PATCH 1/3] updated S6 overlay version --- docker/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index e6982af04..43505669b 100755 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,6 +1,6 @@ FROM busybox:stable -ARG S6_OVERLAY_VERSION=3.1.1.2 +ARG S6_OVERLAY_VERSION=3.2.0.0 ARG S6_ARCH=x86_64 ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz /tmp ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-${S6_ARCH}.tar.xz /tmp From 025c4b12b5cc89a2b9c7c31f6dafe1656cad6907 Mon Sep 17 00:00:00 2001 From: paspo Date: Tue, 18 Jun 2024 09:25:43 +0200 Subject: [PATCH 2/3] run as unprivileged user --- README.md | 2 ++ docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/dependencies | 1 + docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/run | 4 ++-- docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/dependencies | 1 + docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/run | 4 ++-- docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/type | 1 + docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/up | 1 + docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/up.real | 10 ++++++++++ .../etc/s6-overlay/s6-rc.d/user/contents.d/set-user | 0 9 files changed, 20 insertions(+), 4 deletions(-) create mode 100755 docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/type create mode 100755 docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/up create mode 100755 docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/up.real create mode 100644 docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/set-user diff --git a/README.md b/README.md index ec2e2d439..14bbf6046 100644 --- a/README.md +++ b/README.md @@ -196,6 +196,8 @@ For this container image, you can use these environment variables, **in addition | ENCRYPTED_ONLY | yes | if set to **"1"** unencrypted connection will not be accepted | | KEY_PUB | yes | public part of the key pair | | KEY_PRIV | yes | private part of the key pair | +| PUID | yes | user ID that hbbr/hbbs will use (1000 by default) | +| PGID | yes | group ID that hbbr/hbbs will use (1000 by default) | ### Secret management in S6-overlay based images diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/dependencies b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/dependencies index 23bc57dff..f29459fd0 100644 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/dependencies +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/dependencies @@ -1 +1,2 @@ key-secret +set-user diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/run b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/run index c17d27b0e..f74a9c042 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/run +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/run @@ -1,5 +1,5 @@ #!/command/with-contenv sh -cd /data +cd /data || return PARAMS= [ "${ENCRYPTED_ONLY}" = "1" ] && PARAMS="-k _" -/usr/bin/hbbr $PARAMS +exec s6-setuidgid rustdesk /usr/bin/hbbr $PARAMS diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/dependencies b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/dependencies index f72cf00c8..ed8bf53fb 100644 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/dependencies +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/dependencies @@ -1,2 +1,3 @@ key-secret +set-user hbbr diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/run b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/run index 59e216313..18d3b1ecc 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/run +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/run @@ -1,6 +1,6 @@ #!/command/with-contenv sh sleep 2 -cd /data +cd /data || return PARAMS= [ "${ENCRYPTED_ONLY}" = "1" ] && PARAMS="-k _" -/usr/bin/hbbs -r $RELAY $PARAMS +exec s6-setuidgid rustdesk /usr/bin/hbbs -r $RELAY $PARAMS diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/type b/docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/type new file mode 100755 index 000000000..bdd22a185 --- /dev/null +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/type @@ -0,0 +1 @@ +oneshot diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/up b/docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/up new file mode 100755 index 000000000..30ca6e851 --- /dev/null +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/up @@ -0,0 +1 @@ +/etc/s6-overlay/s6-rc.d/set-user/up.real diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/up.real b/docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/up.real new file mode 100755 index 000000000..5bd10cc8b --- /dev/null +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/up.real @@ -0,0 +1,10 @@ +#!/command/with-contenv sh + +PUID=${PUID:-1000} +PGID=${PGID:-1000} +USERNAME=rustdesk +GROUPNAME=rustdesk + +addgroup -g "${PGID}" "${GROUPNAME}" +adduser -D -h /data -u "${PUID}" -G "${GROUPNAME}" "${USERNAME}" +chown "${PUID}:${PGID}" "/data" diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/set-user b/docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/set-user new file mode 100644 index 000000000..e69de29bb From fe36a51b104d675aceaa1ebfb950e434e3c72303 Mon Sep 17 00:00:00 2001 From: paspo Date: Tue, 18 Jun 2024 10:48:35 +0200 Subject: [PATCH 3/3] support for running the whole container as a user --- docker/Dockerfile | 8 ++++++++ docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/run | 6 +++++- docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/run | 6 +++++- .../rootfs/etc/s6-overlay/s6-rc.d/set-user/up.real | 13 +++++++++---- 4 files changed, 27 insertions(+), 6 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 43505669b..3e9e88578 100755 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -14,6 +14,12 @@ COPY rootfs / ENV RELAY relay.example.com ENV ENCRYPTED_ONLY 0 +ENV PGID=1000 +ENV PUID=1000 + +RUN \ + addgroup -g "${PGID}" rustdesk && \ + adduser -D -h /data -u "${PUID}" -G rustdesk rustdesk EXPOSE 21115 21116 21116/udp 21117 21118 21119 @@ -23,4 +29,6 @@ WORKDIR /data VOLUME /data +USER rustdesk + ENTRYPOINT ["/init"] diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/run b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/run index f74a9c042..caed28871 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/run +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/run @@ -2,4 +2,8 @@ cd /data || return PARAMS= [ "${ENCRYPTED_ONLY}" = "1" ] && PARAMS="-k _" -exec s6-setuidgid rustdesk /usr/bin/hbbr $PARAMS +if [ "$(id -u)" -ne 0 ] ; then + /usr/bin/hbbr $PARAMS +else + exec s6-setuidgid rustdesk /usr/bin/hbbr $PARAMS +fi diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/run b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/run index 18d3b1ecc..0cf5846c1 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/run +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/run @@ -3,4 +3,8 @@ sleep 2 cd /data || return PARAMS= [ "${ENCRYPTED_ONLY}" = "1" ] && PARAMS="-k _" -exec s6-setuidgid rustdesk /usr/bin/hbbs -r $RELAY $PARAMS +if [ "$(id -u)" -ne 0 ] ; then + /usr/bin/hbbs -r $RELAY $PARAMS +else + exec s6-setuidgid rustdesk /usr/bin/hbbs -r $RELAY $PARAMS +fi diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/up.real b/docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/up.real index 5bd10cc8b..8117d6fac 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/up.real +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/up.real @@ -1,10 +1,15 @@ #!/command/with-contenv sh +if [ "$(id -u)" -ne 0 ] ; then + # if the container is running unprivileged, we cannot manage users + exit +fi + PUID=${PUID:-1000} PGID=${PGID:-1000} -USERNAME=rustdesk -GROUPNAME=rustdesk -addgroup -g "${PGID}" "${GROUPNAME}" -adduser -D -h /data -u "${PUID}" -G "${GROUPNAME}" "${USERNAME}" +# usermod/groupmod is not present in this image, so we use this dirty trick +sed -i "s/^rustdesk\:.*/rustdesk:x:${PGID}:rustdesk/" /etc/group +sed -i "s/^rustdesk\:.*/rustdesk:x:${PUID}:${PGID}:Linux User,,,:\/data:\/bin\/sh/" /etc/passwd + chown "${PUID}:${PGID}" "/data"