Last active
August 13, 2020 14:35
-
-
Save thom-nic/5e561e800cbc0f71555c to your computer and use it in GitHub Desktop.
Dockerfile that attempts to run the app as non-root user. This creates a `node` user & sets permissions on app files. Note you cannot `chown` files in a docker 'volume' during the build process, but you can at runtime (as part of your `CMD`) but in that case you can't use the `USER` command to change the UID before `CMD` runs.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### | |
| # Node.js app Docker file | |
| # | |
| # Some basic build instructions: | |
| # ``` | |
| # # you should delete node_modules b/c you don't want that copied during 'ADD' | |
| # docker build -t thom-nic/node-bootstrap . | |
| # # run a shell in the container to inspect the environment (as root): | |
| # docker run --rm -itu root thom-nic/node-bootstrap /bin/bash | |
| # ``` | |
| ### | |
| FROM dockerfile/nodejs | |
| MAINTAINER Thom Nichols "[email protected]" | |
| RUN useradd -ms /bin/bash node | |
| # copy the nice dotfiles that dockerfile/ubuntu gives us: | |
| RUN cd && cp -R .bash_profile .bashrc .gitconfig .profile scripts /home/node | |
| ADD . /home/node/app | |
| RUN chown -R node:node /home/node | |
| USER node | |
| ENV HOME /home/node | |
| WORKDIR /home/node/app | |
| #ENV NODE_ENV production | |
| RUN npm install | |
| EXPOSE 8888 | |
| CMD ["npm", "start"] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@thom-nic First off, thank you for the gist. I'm trying to accomplish something similar and stumbled across your SO post, and I wound up here.
It seems to me that one wouldn't want the files to be owned by the user that the application runs under (
nodein this case). As a hypothetical, let's say that part of the node application allows the user to upload files. Furthermore, assume that the upload code fails to properly sanitize the upload path, thereby allowing users to control the destination. Ifnodeowns the files, then a malicious user exploiting the upload vulnerability would be able to effectively overwrite application code. This scenario is a common attack vector.If you consider webservers like apache and nginx, for the very reason outlined above you wouldn't want the application files to be owned by the same user as the webserver runs under, right? (e.g. granting ownership of php files to
www-useris a security issue.) In the Dockerfile, it therefore seems likerootshould own the files, and thenodeuser should run the application.Thoughts?