mirror of
https://github.com/gristlabs/grist-core.git
synced 2024-10-27 20:44:07 +00:00
a8431c69a7
De-escalates to a normal user when the docker image is run as root. Allows GRIST_DOCKER_USER and GRIST_DOCKER_GROUP to be passed to override the default de-escalation behaviour. Backwards compatible with previous root installations. -------- This change adds a new docker_entrypoint.sh, which when run as root de-escalates to the provided user, defaulting to grist:grist. This is similar to the approach used by the official postgres docker image. To achieve backwards compatibility, it changes ownership of any files in `/persist` to the user it's given at runtime. Since the docker container is typically run as root, this should always work. If the container is run as a standard user from the very start: * It's the admin's responsibility to ensure `/persist` is writable by that user. * `/grist` remains owned by root and is read-only.
41 lines
1.5 KiB
Bash
Executable File
41 lines
1.5 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -Eeuo pipefail
|
|
|
|
# Runs the command provided as arguments, but attempts to configure permissions first.
|
|
|
|
important_read_dirs=("/grist" "/persist")
|
|
write_dir="/persist"
|
|
current_user_id=$(id -u)
|
|
|
|
# We want to avoid running Grist as root if possible.
|
|
# Try to setup permissions and de-elevate to a normal user.
|
|
if [[ $current_user_id == 0 ]]; then
|
|
target_user=${GRIST_DOCKER_USER:-grist}
|
|
target_group=${GRIST_DOCKER_GROUP:-grist}
|
|
|
|
# Make sure the target user owns everything that Grist needs write access to.
|
|
find $write_dir ! -user "$target_user" -exec chown "$target_user" "{}" +
|
|
|
|
# Restart as the target user, replacing the current process (replacement is needed for security).
|
|
# Alternative tools to setpriv are: chroot, gosu.
|
|
# Need to use `exec` to close the parent shell, to avoid vulnerabilities: https://github.com/tianon/gosu/issues/37
|
|
exec setpriv --reuid "$target_user" --regid "$target_group" --init-groups /usr/bin/env bash "$0" "$@"
|
|
fi
|
|
|
|
# Validate that this user has access to the top level of each important directory.
|
|
# There might be a benefit to testing individual files, but this is simpler as the dir may start empty.
|
|
for dir in "${important_read_dirs[@]}"; do
|
|
if ! { test -r "$dir" ;} ; then
|
|
echo "Invalid permissions, cannot read '$dir'. Aborting." >&2
|
|
exit 1
|
|
fi
|
|
done
|
|
for dir in "${important_write_dirs[@]}"; do
|
|
if ! { test -r "$dir" && test -w "$dir" ;} ; then
|
|
echo "Invalid permissions, cannot write '$dir'. Aborting." >&2
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
exec /usr/bin/tini -s -- "$@"
|