Fix #2680 - Run processes in Docker as non-root user (#3159)

diff --git a/Dockerfile b/Dockerfile
index e2926725a429ee1884c4edc4e39c536ae39d39f6..3248dd9d103a7815f7caaf822654b0ea10fe8f96 100644 (file)
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,8 +3,8 @@ FROM ruby:2.4.1-alpine
 LABEL maintainer="https://github.com/tootsuite/mastodon" \
       description="A GNU Social-compatible microblogging server"
 
-ENV RAILS_ENV=production \
-    NODE_ENV=production
+ENV UID=991 GID=991 \
+    RAILS_ENV=production NODE_ENV=production
 
 EXPOSE 3000 4000
 
@@ -31,6 +31,8 @@ RUN echo "@edge https://nl.alpinelinux.org/alpine/edge/main" >> /etc/apk/reposit
     imagemagick@edge \
     ca-certificates \
     protobuf \
+    tini \
+    su-exec \
  && npm install -g npm@3 && npm install -g yarn \
  && update-ca-certificates \
  && rm -rf /tmp/* /var/cache/apk/*
@@ -42,4 +44,10 @@ RUN bundle install --deployment --without test development \
 
 COPY . /mastodon
 
+COPY docker_entrypoint.sh /usr/local/bin/run
+
+RUN chmod +x /usr/local/bin/run
+
 VOLUME /mastodon/public/system /mastodon/public/assets /mastodon/public/packs
+
+ENTRYPOINT ["/usr/local/bin/run"]

diff --git a/docker_entrypoint.sh b/docker_entrypoint.sh
new file mode 100644 (file)
index 0000000..e532613
--- /dev/null
+++ b/docker_entrypoint.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+addgroup -g ${GID} mastodon && adduser -h /mastodon -s /bin/sh -D -G mastodon -u ${UID} mastodon
+find /mastodon -path /mastodon/public/system -prune -o -not -user mastodon -not -group mastodon -print0 | xargs -0 chown -f mastodon:mastodon
+su-exec mastodon:mastodon /sbin/tini -- "$@"