Allow docker-nginx to run under a non root user (#68)

* Allow docker-nginx to run under a non root user

* remove additional layer when setting permissions

* Add expectations and fix nginx error log permissions

* set s6 root read only flag

* fix s6-chown issues

* merging comments

* specify username in COPY command

Author: sravankasu

Dockerfile

@@ -38,7 +38,7 @@ RUN /bin/bash -e /security_updates.sh && \
     /bin/bash -e /clean.sh
 
 # Overlay the root filesystem from this repo
-COPY ./container/root /
+COPY --chown=www-data ./container/root /
 
 # Set nginx to listen on defined port
 # NOTE: order of operations is important, new config had to already installed from repo (above)
@@ -48,11 +48,13 @@ COPY ./container/root /
 # - Remove older WOFF mime-type
 # - Add again with newer mime-type
 # - Also add mime-type for WOFF2
+# Set permissions to allow image to be run under a non root user
 RUN sed -i "s/listen [0-9]*;/listen ${CONTAINER_PORT};/" $CONF_NGINX_SITE && \
     mkdir /tmp/.nginx && \
     sed -i "/application\/font-woff/d" /etc/nginx/mime.types && \
     sed -i "s/}/\n    font\/woff                             woff;&/" /etc/nginx/mime.types && \
-    sed -i "s/}/\n    font\/woff2                            woff2;\n&/g" /etc/nginx/mime.types
+    sed -i "s/}/\n    font\/woff2                            woff2;\n&/g" /etc/nginx/mime.types && \
+    /bin/bash -e /scripts/set_permissions.sh
 
 RUN goss -g /tests/ubuntu/nginx.goss.yaml validate && \
     /aufs_hack.sh

Dockerfile-alpine

@@ -23,23 +23,24 @@ RUN apk update --no-cache && \
     /bin/bash -e /clean.sh
 
 # Overlay the root filesystem from this repo
-COPY ./container/root /
+COPY --chown=www-data ./container/root /
 
 # - Set nginx to listen on defined port
-# - Fix permissions to run unprivileged
 # - Make temp directory for .nginx runtime files
 # - Some operations can be completely removed once this ticket is resolved:
 # - https://trac.nginx.org/nginx/ticket/1243
 # - Remove older WOFF mime-type
 # - Add again with newer mime-type
 # - Also add mime-type for WOFF2
+# - Fix permissions for nginx folders and run set_permissions.sh to allow running image under a non root user
 RUN sed -i "s/listen [0-9]*;/listen ${CONTAINER_PORT};/" $CONF_NGINX_SITE && \
     bash -c "chown www-data:www-data /var/{lib,log}/nginx -Rh" && \
     bash -c "chmod 0755 -R /var/{lib,log}/nginx" && \
     mkdir /tmp/.nginx && \
     sed -i "/application\/font-woff/d" /etc/nginx/mime.types && \
     sed -i "s/}/\n    font\/woff                             woff;&/" /etc/nginx/mime.types && \
-    sed -i "s/}/\n    font\/woff2                            woff2;\n&/g" /etc/nginx/mime.types
+    sed -i "s/}/\n    font\/woff2                            woff2;\n&/g" /etc/nginx/mime.types && \
+    /bin/bash -e /scripts/set_permissions.sh
 
 RUN goss -g /tests/alpine/nginx.goss.yaml validate && \
     /aufs_hack.sh

Dockerfile-centos

@@ -21,7 +21,7 @@ RUN /bin/bash -e /security_updates.sh && \
     /bin/bash -e /clean.sh
 
 # Overlay the root filesystem from this repo
-COPY ./container/root /
+COPY --chown=nginx ./container/root /
 
 # - Set nginx to listen on defined port
 # - NOTE: order of operations is important, new config had to already installed from repo (above)
@@ -32,12 +32,14 @@ COPY ./container/root /
 # - Remove older WOFF mime-type
 # - Add again with newer mime-type
 # - Also add mime-type for WOFF2
+# Set permissions to allow image to be run under a non root user
 RUN sed -i "s/listen [0-9]*;/listen ${CONTAINER_PORT};/" $CONF_NGINX_SITE && \
     mkdir /tmp/.nginx && \
     sed -i "s/^user .*$/user ${NOT_ROOT_USER};/" ${CONF_NGINX_SERVER} && \
     sed -i "/application\/font-woff/d" /etc/nginx/mime.types && \
     sed -i "s/}/\n    font\/woff                             woff;&/" /etc/nginx/mime.types && \
-    sed -i "s/}/\n    font\/woff2                            woff2;\n&/g" /etc/nginx/mime.types
+    sed -i "s/}/\n    font\/woff2                            woff2;\n&/g" /etc/nginx/mime.types && \
+    /bin/bash -e /scripts/set_permissions.sh
 
 RUN goss -g /tests/centos/nginx.goss.yaml validate && \
     /aufs_hack.sh

README.md

@@ -18,6 +18,7 @@ See parent(s) [docker-base](https://github.com/behance/docker-base) for addition
 ### Expectations
 
 - Applications must copy their html/app into the `/var/www/html` folder
+- Any new script/file that needs to be added must be given proper permissions/ownership to the non root user through `container/root/scripts/set_permissions.sh`. This is to ensure that the image can be run under a non root user.
 -   NOTE: Nginx is exposed and bound to an unprivileged port, `8080`
 
 

container/root/s6-setuidgid

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+current_user=$(whoami)
+set_user=${1}
+if [ "$current_user" == "$set_user" ]; then
+    echo "deprivilege noop (s6-setuidgid): current user = set user: $set_user."
+    shift
+    exec $@
+else    
+    echo "***Warning*** Starting image as $current_user and deprivileging service to run under $set_user, future versions of this image will use $NOT_ROOT_USER as the default user set via https://docs.docker.com/engine/reference/builder/#user."
+    exec /scripts/s6-setuidgid $@
+fi    

container/root/scripts/set_permissions.sh

@@ -0,0 +1,16 @@
+#!/bin/bash -e
+
+# Replace existing s6-setuidgid binary with the script we've written
+mv /bin/s6-setuidgid /scripts/s6-setuidgid && mv /s6-setuidgid /bin/
+
+# Create the nginx error log file before nginx does so that nginx does not complain about permissions on this file
+touch /var/log/nginx/error.log
+
+# Assign ownership of required scripts/directories to the non root user
+rm /var/run && mkdir -p /var/run/s6 && chown -R ${NOT_ROOT_USER} /etc/services.d/ /etc/services-available/ /bin/s6-* /etc/nginx/ /tmp/ /var/
+
+chmod 755 -R /etc/s6/ /bin/s6-* /scripts/s6-setuidgid /etc/nginx/ /var/
+
+# Make s6 give non root user ownership to user provided files instead of root
+# List of files/folders given ownership available here: https://github.com/just-containers/s6-overlay/blob/master/builder/overlay-rootfs/etc/s6/init/init-stage2-fixattrs.txt
+sed -i "s/root/${NOT_ROOT_USER}/" /etc/s6/init/init-stage2-fixattrs.txt