From ee628c5df0581dbd4f015fc3554a948840f74d3e Mon Sep 17 00:00:00 2001 From: WofWca Date: Sat, 7 Dec 2024 16:21:02 +0400 Subject: [PATCH] chore: Dockerfile: run proxy as non-root user I believe this might have a potential to affect existing setups, e.g. if they use a privileged port for `--metrics-port` or `--ephemeral-ports-range`. But it should work fine with our currently recommended `docker-compose.yml`: https://gitlab.torproject.org/tpo/anti-censorship/docker-snowflake-proxy/-/blob/main/docker-compose.yml Related: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40328 --- Dockerfile | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Dockerfile b/Dockerfile index 99bec65..6681a41 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,8 +15,15 @@ WORKDIR /app/proxy RUN go get RUN CGO_ENABLED=0 go build -o proxy -ldflags '-extldflags "-static" -w -s' . +RUN groupadd nonroot +RUN useradd --gid nonroot nonroot + FROM scratch +COPY --from=build /etc/passwd /etc/passwd +COPY --from=build /etc/group /etc/group +USER nonroot:nonroot + COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt COPY --from=build /usr/share/zoneinfo /usr/share/zoneinfo COPY --from=build /app/proxy/proxy /bin/proxy