Drop privs when running admin too

core/admin/Dockerfile

@@ -9,23 +9,23 @@ LABEL version=$VERSION
 RUN set -euxo pipefail \
   ; apk add --no-cache libressl mariadb-connector-c postgresql-libs
 
-COPY --from=assets /work/static/ ./mailu/static/
+EXPOSE 80/tcp
 
+HEALTHCHECK CMD curl -skfLo /dev/null http://localhost/sso/login
+
+VOLUME ["/data","/dkim"]
+
+ENV FLASK_APP=mailu
+
+COPY --from=assets /work/static/ ./mailu/static/
 COPY audit.py /
 COPY start.py /
-
 COPY migrations/ ./migrations/
-
 COPY mailu/ ./mailu/
+
 RUN set -euxo pipefail \
   ; venv/bin/pybabel compile -d mailu/translations
 
 RUN echo $VERSION >/version
 
-EXPOSE 80/tcp
-HEALTHCHECK CMD curl -skfLo /dev/null http://localhost/sso/login?next=ui.index
-
-VOLUME ["/data","/dkim"]
-
-ENV FLASK_APP=mailu
 CMD /start.py

core/admin/start.py

@@ -2,8 +2,14 @@
 
 import os
 import logging as log
+from pwd import getpwnam
 import sys
 
+os.system("chown mailu:mailu -R /data /dkim")
+mailu_id = getpwnam('mailu')
+os.setgid(mailu_id.pw_gid)
+os.setuid(mailu_id.pw_uid)
+
 log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "INFO"))
 
 os.system("flask mailu advertise")