docker image: switch to a new non-root user when started as root

Instead of manually adding a matching user with the docker-adduser cheribuild target, this adds an ENTRYPOINT script to the docker image that automatically creates an unprivileged user. The UID/GID/name can be passed using environment variables (-e flag to `docker run`).
CTSRD-CHERI · Sep 7, 2021 · 8b0188a · 8b0188a
1 parent 3d04b6b
commit 8b0188a
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 2 deletions.
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -17,10 +17,17 @@ RUN apt-get update && apt-get install -y \
   libarchive-dev libglib2.0-dev libpixman-1-dev \
   bison groff-base flex \
   cmake \
-  clang-12 lld-12
+  clang-12 lld-12 \
+  gosu && \
+  apt-get clean
 
 COPY cheribuild.json /root/.config/cheribuild.json
+COPY entrypoint.sh /usr/bin/entrypoint.sh
 
 VOLUME ["/cheribuild", "/source", "/build", "/output"]
 ENV PATH /cheribuild:$PATH
-CMD bash
+# We use an ENTRYPOINT script to ensure that cheribuild is run as a non-root
+# user that has a UID/GID matching the host so that file ownership in the
+# volumes
+ENTRYPOINT ["/usr/bin/entrypoint.sh"]
+CMD ["/bin/bash"]
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
@@ -0,0 +1,17 @@
+#!/bin/sh -e
+
+if [ "$(id -u)" != 0 ]; then
+    echo "Already running as non-root, can't change user."
+    exec "$@"
+fi
+# Create a non-root user with UID/GID matching the host user to ensure that
+# files written to the volumes are not owned by root.
+: "${cheribuild_uid:=1234}"
+: "${cheribuild_gid:=1234}"
+: "${cheribuild_user:=cheri}"
+addgroup --quiet --gid ${cheribuild_gid} "${cheribuild_user}"
+yes | adduser --quiet --uid ${cheribuild_uid} --disabled-password --ingroup "${cheribuild_user}" "${cheribuild_user}" > /dev/null
+
+# Run the actual command:
+export HOME="/home/${cheribuild_user}"
+exec gosu "${cheribuild_user}" "$@"