[FEATURE] Container privilege de-escalation (#1370)

* support for running as non-root * forgot to save file * removed write perms for user on entrypoint script * preserve existing user behavior * fix entrypoint permissions to account for non-root user * typo in chmod on line 63 * better entrypoint script; moved to root * execute bit * support for running as non-root * forgot to save file * removed write perms for user on entrypoint script * preserve existing user behavior * fix entrypoint permissions to account for non-root user * typo in chmod on line 63 * better entrypoint script; moved to root * execute bit * very rough draft documentation * added missing header * typo changes -> changed * Update entrypoint.sh Co-authored-by: Amir Zarrinkafsh <nightah@me.com> * Apply suggestions from code review looks good Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2024-09-14 22:47:21 +07:00 · 2020-10-18 16:12:21 -07:00 · 2020-10-18 16:12:21 -07:00 · af2ae328e7
commit af2ae328e7
parent 0ba634ffee
5 changed files with 112 additions and 34 deletions
--- a/12
+++ b/12
@ -51,16 +51,20 @@ GOOS=linux GOARCH=amd64 CGO_ENABLED=1 go build -tags netgo -ldflags '-s -w -link
 # ===================================
 FROM alpine:3.12.0
-RUN apk --no-cache add ca-certificates tzdata
+COPY --from=builder-backend /go/src/app/cmd/authelia/authelia ./
 COPY ./entrypoint.sh /usr/local/bin/entrypoint.sh
 RUN apk --no-cache add ca-certificates su-exec tzdata
 WORKDIR /app
 COPY --from=builder-backend /go/src/app/cmd/authelia/authelia ./
 EXPOSE 9091
 VOLUME /config
 ENV PATH="/app:${PATH}"
 ENV PUID=0
 ENV PGID=0
-CMD ["authelia", "--config", "/config/configuration.yml"]
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
 CMD ["--config", "/config/configuration.yml"]
--- a/Dockerfile.arm32v7
+++ b/Dockerfile.arm32v7
@ -55,18 +55,21 @@ GOOS=linux GOARCH=arm CGO_ENABLED=1 CC=arm-linux-musleabihf-gcc go build -tags n
 FROM arm32v7/alpine:3.12.0
 COPY ./qemu-arm-static /usr/bin/qemu-arm-static
 COPY --from=builder-backend /go/src/app/cmd/authelia/authelia ./
 COPY ./entrypoint.sh /usr/local/bin/entrypoint.sh
-RUN apk --no-cache add ca-certificates tzdata && \
+RUN apk --no-cache add ca-certificates su-exec tzdata && \
    rm /usr/bin/qemu-arm-static
 WORKDIR /app
 COPY --from=builder-backend /go/src/app/cmd/authelia/authelia ./
 EXPOSE 9091
 VOLUME /config
 ENV PATH="/app:${PATH}"
 ENV PUID=0
 ENV PGID=0
-CMD ["authelia", "--config", "/config/configuration.yml"]
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
 CMD ["--config", "/config/configuration.yml"]
--- a/Dockerfile.arm64v8
+++ b/Dockerfile.arm64v8
@ -55,18 +55,21 @@ GOOS=linux GOARCH=arm64 CGO_ENABLED=1 CC=aarch64-linux-musl-gcc go build -tags n
 FROM arm64v8/alpine:3.12.0
 COPY ./qemu-aarch64-static /usr/bin/qemu-aarch64-static
 COPY --from=builder-backend /go/src/app/cmd/authelia/authelia ./
 COPY ./entrypoint.sh /usr/local/bin/entrypoint.sh
-RUN apk --no-cache add ca-certificates tzdata && \
+RUN apk --no-cache add ca-certificates su-exec tzdata && \
    rm /usr/bin/qemu-aarch64-static
 WORKDIR /app
 COPY --from=builder-backend /go/src/app/cmd/authelia/authelia ./
 EXPOSE 9091
 VOLUME /config
 ENV PATH="/app:${PATH}"
 ENV PUID=0
 ENV PGID=0
-CMD ["authelia", "--config", "/config/configuration.yml"]
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
 CMD ["--config", "/config/configuration.yml"]
--- a/docs/security/measures.md
+++ b/docs/security/measures.md
@ -206,3 +206,61 @@ chain = DOCKER-USER
 If you are not using Docker remove the the line "chain = DOCKER-USER"
 Finally, restart the fail2ban service.
 ## Container privilege de-escalation
 Authelia will run as root by default, there are two options to run as a non-root user. The first option is to use the
 Docker `--user` option on the command line or in docker-compose. The second option is to use the `PUID` and `PGID`
 environment variables. An added benefit of using the environment variables is the mounted volumes ownership will automatically
 be changed for you.
 ### Docker user option
 With the Docker `--user` option, Docker will ensure Authelia is running as the user id and group id you specify.
 In order to use this option, you will need to mount the `/config` volume to a directory on the host and set
 the owner and group of that directory to the same user you supplied to docker. Running Authelia with `--user`
 without mounting a volume to `/config` or incorrectly setting the host systems directory owner will cause Authelia
 to exit immediately. The docker `--user` option will take precedence over the environment variables.
 On the command line, you would create your Authelia data directory, change ownership to your non-root user
 and run Authelia with `--user` set:
 ```
 mkdir /authelia
 chown user:group /authelia
 docker run --user user:group -v /authelia:/config authelia/authelia:latest
 ```
 As a docker-compose.yml file:
 ```
 version: '3.8'
 services:
  authelia:
    image: authelia/authelia
    container_name: authelia
    user: 1000:1000
    volumes:
      - ./authelia:/config
 ```
 ### PUID/PGID environment variables
 If you choose to use the environment variables, the correct ownership will be applied automatically on startup of
 the container, so there's no need to `chown` before running, to use this on the command line use the following:
 ```
 docker run -e PUID=1000 -e PGID=1000 -v /authelia:/config authelia:authelia:latest
 ```
 As a docker-compose.yml file:
 ```
 version: '3.8'
 services:
  authelia:
    image: authelia/authelia
    container_name: authelia
    environment:
      PUID: 1000
      PGID: 1000
    volumes:
      - ./authelia:/config
 ```
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -0,0 +1,10 @@
 #!/bin/sh
 if [[ ! -z ${1} ]] && [[ ${1} != "--config" ]]; then
  exec "$@"
 elif [[ $(id -u) != 0 ]] || [[ $(id -g) != 0 ]]; then
  exec authelia "$@"
 else
  chown -R ${PUID}:${PGID} /config
  exec su-exec ${PUID}:${PGID} authelia "$@"
 fi