From 9e311b4dcbc626159e09cb7485fa0419ea94e4ba Mon Sep 17 00:00:00 2001 From: Chris Kankiewicz Date: Tue, 29 Nov 2016 09:31:39 -0700 Subject: [PATCH] Don't run service as root --- Dockerfile | 9 +++++++++ files/config.ini | 4 ++++ 2 files changed, 13 insertions(+) diff --git a/Dockerfile b/Dockerfile index aee1768..27ec9e3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,6 +7,9 @@ ENV MUMBLE_VERSION 1.2.17 # Create Mumble directories RUN mkdir -pv /opt/mumble /etc/mumble +# Create non-root user +RUN adduser -DHs /sbin/nologin mumble + # Copy config file COPY files/config.ini /etc/mumble/config.ini @@ -22,9 +25,15 @@ RUN apk add --update ca-certificates bzip2 tar tzdata wget \ && wget -qO- ${BZIP_URL} | tar -xjv --strip-components=1 -C /opt/mumble \ && apk del ca-certificates bzip2 tar wget && rm -rf /var/cache/apk/* +# Chown files +RUN chown -Rv mumble:mumble /etc/mumble /opt/mumble + # Expose ports EXPOSE 64738 64738/udp +# Set running user +USER mumble + # Set volumes VOLUME /etc/mumble diff --git a/files/config.ini b/files/config.ini index 5ea7536..c322e7d 100644 --- a/files/config.ini +++ b/files/config.ini @@ -4,3 +4,7 @@ # Path to database. If blank, will search for # murmur.sqlite in default locations or create it if not found. database=/etc/mumble/murmur.sqlite + +# If Murmur is started as root, which user should it switch to? +# This option is ignored if Murmur isn't started with root privileges. +uname=mumble