Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

s6 container - run as user #425

Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

s6 container - run as user #425

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ffcd1cc
updated S6 overlay version
paspo Jun 18, 2024
025c4b1
run as unprivileged user
paspo Jun 18, 2024
fe36a51
support for running the whole container as a user
paspo Jun 18, 2024
241d99c
Merge branch 'master' into s6-as-user
rustdesk Sep 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,8 @@ For this container image, you can use these environment variables, **in addition
| ENCRYPTED_ONLY | yes | if set to **"1"** unencrypted connection will not be accepted |
| KEY_PUB | yes | public part of the key pair |
| KEY_PRIV | yes | private part of the key pair |
| PUID | yes | user ID that hbbr/hbbs will use (1000 by default) |
| PGID | yes | group ID that hbbr/hbbs will use (1000 by default) |

### Secret management in S6-overlay based images

Expand Down
8 changes: 8 additions & 0 deletions docker/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,12 @@ COPY rootfs /

ENV RELAY=relay.example.com
ENV ENCRYPTED_ONLY=0
ENV PGID=1000
ENV PUID=1000

RUN \
addgroup -g "${PGID}" rustdesk && \
adduser -D -h /data -u "${PUID}" -G rustdesk rustdesk

EXPOSE 21115 21116 21116/udp 21117 21118 21119

Expand All @@ -23,4 +29,6 @@ WORKDIR /data

VOLUME /data

USER rustdesk

ENTRYPOINT ["/init"]
1 change: 1 addition & 0 deletions docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/dependencies
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
key-secret
set-user
8 changes: 6 additions & 2 deletions docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/run
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
#!/command/with-contenv sh
cd /data
cd /data || return
PARAMS=
[ "${ENCRYPTED_ONLY}" = "1" ] && PARAMS="-k _"
/usr/bin/hbbr $PARAMS
if [ "$(id -u)" -ne 0 ] ; then
/usr/bin/hbbr $PARAMS
else
exec s6-setuidgid rustdesk /usr/bin/hbbr $PARAMS
fi
1 change: 1 addition & 0 deletions docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/dependencies
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
key-secret
set-user
hbbr
8 changes: 6 additions & 2 deletions docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/run
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
#!/command/with-contenv sh
sleep 2
cd /data
cd /data || return
PARAMS=
[ "${ENCRYPTED_ONLY}" = "1" ] && PARAMS="-k _"
/usr/bin/hbbs -r $RELAY $PARAMS
if [ "$(id -u)" -ne 0 ] ; then
/usr/bin/hbbs -r $RELAY $PARAMS
else
exec s6-setuidgid rustdesk /usr/bin/hbbs -r $RELAY $PARAMS
fi
1 change: 1 addition & 0 deletions docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/type
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
oneshot
1 change: 1 addition & 0 deletions docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/up
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
/etc/s6-overlay/s6-rc.d/set-user/up.real
15 changes: 15 additions & 0 deletions docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/up.real
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
#!/command/with-contenv sh

if [ "$(id -u)" -ne 0 ] ; then
# if the container is running unprivileged, we cannot manage users
exit
fi

PUID=${PUID:-1000}
PGID=${PGID:-1000}

# usermod/groupmod is not present in this image, so we use this dirty trick
sed -i "s/^rustdesk\:.*/rustdesk:x:${PGID}:rustdesk/" /etc/group
sed -i "s/^rustdesk\:.*/rustdesk:x:${PUID}:${PGID}:Linux User,,,:\/data:\/bin\/sh/" /etc/passwd

chown "${PUID}:${PGID}" "/data"
Empty file added docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/set-user
View file
Open in desktop
Empty file.
Loading