From 9ca2b140d8c6ed57bf23246fe38eb692fcd11696 Mon Sep 17 00:00:00 2001 From: luc Date: Mon, 30 May 2016 23:21:35 +0200 Subject: [PATCH] Run yacy daemon as non-root for improved security. --- docker/Dockerfile | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 3d032042e..a1043f52b 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -9,7 +9,8 @@ RUN apt-get update && apt-get install -yq \ default-jre-headless \ ant \ git \ - curl + curl \ + sudo # set current working dir WORKDIR /opt @@ -29,6 +30,12 @@ RUN ant compile # Set initial admin password : "docker" (encoded with custom yacy md5 function net.yacy.cora.order.Digest.encodeMD5Hex()) RUN sed -i "/adminAccountBase64MD5=/c\adminAccountBase64MD5=MD5:e672161ffdce91be4678605f4f4e6786" /opt/yacy_search_server/defaults/yacy.init +# Create user and group yacy : this user will be used to run YaCy main process +RUN adduser --system --group --no-create-home --disabled-password yacy + +# Set ownership of yacy install directory to yacy user/group +RUN chown yacy:yacy -R /opt/yacy_search_server + # make some cleaning to reduce image size RUN rm -rf .git \ && apt-get purge -yq --auto-remove \ @@ -40,8 +47,8 @@ RUN rm -rf .git \ # Expose port 8090 EXPOSE 8090 -# Set data volume : can be used to persist yacy data and configuration +# Set data volume : yacy data and configuration will persist aven after container stop or destruction VOLUME ["/opt/yacy_search_server/DATA"] -# Start yacy ind debug mode (-d) to display console logs and to wait for yacy process -CMD sh /opt/yacy_search_server/startYACY.sh -d +# Start yacy as non-root process in debug mode (-d) to display console logs and to wait for yacy process +CMD sudo -u yacy sh /opt/yacy_search_server/startYACY.sh -d