From 699be6f9fa62ef538fdac0f09003b2c54838eda4 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Thu, 17 Nov 2022 16:03:37 +0100 Subject: [PATCH] Drop privs when running admin too --- core/admin/Dockerfile | 18 +++++++++--------- core/admin/start.py | 6 ++++++ 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/core/admin/Dockerfile b/core/admin/Dockerfile index 600c3e9f..b43e46b6 100644 --- a/core/admin/Dockerfile +++ b/core/admin/Dockerfile @@ -9,23 +9,23 @@ LABEL version=$VERSION RUN set -euxo pipefail \ ; apk add --no-cache libressl mariadb-connector-c postgresql-libs -COPY --from=assets /work/static/ ./mailu/static/ +EXPOSE 80/tcp +HEALTHCHECK CMD curl -skfLo /dev/null http://localhost/sso/login + +VOLUME ["/data","/dkim"] + +ENV FLASK_APP=mailu + +COPY --from=assets /work/static/ ./mailu/static/ COPY audit.py / COPY start.py / - COPY migrations/ ./migrations/ - COPY mailu/ ./mailu/ + RUN set -euxo pipefail \ ; venv/bin/pybabel compile -d mailu/translations RUN echo $VERSION >/version -EXPOSE 80/tcp -HEALTHCHECK CMD curl -skfLo /dev/null http://localhost/sso/login?next=ui.index - -VOLUME ["/data","/dkim"] - -ENV FLASK_APP=mailu CMD /start.py diff --git a/core/admin/start.py b/core/admin/start.py index 3cb5c422..99b34a01 100755 --- a/core/admin/start.py +++ b/core/admin/start.py @@ -2,8 +2,14 @@ import os import logging as log +from pwd import getpwnam import sys +os.system("chown mailu:mailu -R /data /dkim") +mailu_id = getpwnam('mailu') +os.setgid(mailu_id.pw_gid) +os.setuid(mailu_id.pw_uid) + log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "INFO")) os.system("flask mailu advertise")