Archives/gristlabs_grist-core
1
0
Fork 0
mirror of https://github.com/gristlabs/grist-core.git synced 2024-10-27 20:44:07 +00:00
Code Issues Projects Releases Wiki Activity

Adds a home directory for non-root docker user in container (#1109)

Browse Source 
Fixes some edge cases where certain programs (e.g yarn) wouldn't work correctly due to HOME being set to a folder with bad permissions.
This commit is contained in:
Spoffy 2024-07-16 22:35:27 +01:00 committed by GitHub
parent 73e022b0c5
commit 1d92e69c43
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
sandbox/docker_entrypoint.sh
View File

@ -16,12 +16,20 @@ if [[ $current_user_id == 0 ]]; then
# Make sure the target user owns everything that Grist needs write access to. # Make sure the target user owns everything that Grist needs write access to.
find $write_dir ! -user "$target_user" -exec chown "$target_user" "{}" + find $write_dir ! -user "$target_user" -exec chown "$target_user" "{}" +
# Make a home directory for the target user, in case anything needs to access it.
export HOME="/grist_user_homes/${target_user}"
mkdir -p "$HOME"
chown -R "$target_user":"$target_group" "$HOME"
# Restart as the target user, replacing the current process (replacement is needed for security). # Restart as the target user, replacing the current process (replacement is needed for security).
# Alternative tools to setpriv are: chroot, gosu. # Alternative tools to setpriv are: chroot, gosu.
# Need to use `exec` to close the parent shell, to avoid vulnerabilities: https://github.com/tianon/gosu/issues/37 # Need to use `exec` to close the parent shell, to avoid vulnerabilities: https://github.com/tianon/gosu/issues/37
exec setpriv --reuid "$target_user" --regid "$target_group" --init-groups /usr/bin/env bash "$0" "$@" exec setpriv --reuid "$target_user" --regid "$target_group" --init-groups /usr/bin/env bash "$0" "$@"
fi fi
# Printing the user helps with setting volume permissions.
echo "Running Grist as user $(id -u) with primary group $(id -g)"
# Validate that this user has access to the top level of each important directory. # Validate that this user has access to the top level of each important directory.
# There might be a benefit to testing individual files, but this is simpler as the dir may start empty. # There might be a benefit to testing individual files, but this is simpler as the dir may start empty.
for dir in "${important_read_dirs[@]}"; do for dir in "${important_read_dirs[@]}"; do