Run gitblit as non-root user

flaix · flaix · commit e423a8f98b16 · 2020-03-04T21:58:28.000+01:00
Add user and group `gitblit` with id `8117` to the image. Add an entry-point script, which will drop root privileges when starting gitblit. It also handles command overrides or running gitblit with additional command line parameters. Closes #10
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1 @@
+.git
diff --git a/Dockerfile b/Dockerfile
@@ -3,24 +3,39 @@ FROM openjdk:8-jre-slim
 ENV GITBLIT_VERSION 1.9.0
 ENV GITBLIT_DOWNLOAD_SHA 349302ded75edfed98f498576861210c0fe205a8721a254be65cdc3d8cdd76f1
 
+# add our user and group first to make sure their IDs get assigned consistently, regardless of whatever packages get added
+RUN groupadd -r -g 8117 gitblit && useradd -r -M -g gitblit -u 8117 -d /opt/gitblit gitblit
+
+
 LABEL maintainer="James Moger <james.moger@gitblit.com>, Florian Zschocke <f.zschocke+gitblit@gmail.com>" \
       org.label-schema.schema-version="1.0" \
       org.label-schema.version="${GITBLIT_VERSION}"
 
 
 ENV GITBLIT_DOWNLOAD_URL https://github.com/gitblit/gitblit/releases/download/v${GITBLIT_VERSION}/gitblit-${GITBLIT_VERSION}.tar.gz
 
-# Download and  Install Gitblit & Move the data files to a separate directory
+# Install fetch dependencies, and gsou to step down from root
 RUN set -eux ; \
     apt-get update && apt-get install -y --no-install-recommends \
         wget \
+        gosu \
         ; \
     rm -rf /var/lib/apt/lists/* ; \
+# Download and install Gitblit
     wget --progress=bar:force:noscroll -O gitblit.tar.gz ${GITBLIT_DOWNLOAD_URL} ; \
     echo "${GITBLIT_DOWNLOAD_SHA} *gitblit.tar.gz" | sha256sum -c - ; \
     mkdir -p /opt/gitblit ; \
     tar xzf gitblit.tar.gz -C /opt/gitblit --strip-components 1 ; \
-    rm -f gitblit.tar.gz ;
+    rm -f gitblit.tar.gz ; \
+# Remove unneeded scripts.
+    rm -f /opt/gitblit/install-service-*.sh ; \
+    rm -r /opt/gitblit/service-*.sh ;
+
+
+
+
+
+
 
 
 ENV GITBLIT_VAR /var/opt/gitblit
@@ -29,7 +44,7 @@ ENV GITBLIT_VAR /var/opt/gitblit
 RUN set -eux ; \
     gbetc=$GITBLIT_VAR/etc ; \
     gbsrv=$GITBLIT_VAR/srv ; \
-    mkdir -p -m 0770 $gbsrv ; \
+    mkdir -p -m 0750 $gbsrv ; \
     mv /opt/gitblit/data/git $gbsrv ; \
     ln -s $gbsrv/git /opt/gitblit/data/git ; \
     mv /opt/gitblit/data $gbetc ; \
@@ -126,19 +141,35 @@ include = gitblit-docker.properties\n\
 ''#\n\
 \n' > $gbetc/gitblit.properties ; \
     \
-# Remove unneeded scripts.
-    rm -f /opt/gitblit/install-service-*.sh ; \
-    rm -r /opt/gitblit/service-*.sh ;
+    \
+# Change ownership to gitblit user for all files that the process needs to write
+    chown -R gitblit:gitblit $GITBLIT_VAR ; \
+# Set file permissions so that gitblit can read all and others cannot mess up
+# or read private data
+    chmod -R o-rwx $gbsrv ; \
+    chmod -R u+rwxs $gbsrv $gbsrv/git ; \
+    chmod -R u+rwxs $gbetc ; \
+    chmod -R o-rwx $gbetc ; \
+    chmod ug=r $gbetc/defaults.properties ; \
+    chmod g-w $gbetc/gitblit-docker.properties ; \
+    chmod 0664 $gbetc/gitblit.properties ;
+
 
 
 # Setup the Docker container environment
 ENV PATH /opt/gitblit:$PATH
 
 WORKDIR /opt/gitblit
 
-EXPOSE 8080 8443 9418 29418
-
 VOLUME $GITBLIT_VAR
 
-# run application
-CMD ["java", "-server", "-Xmx1024M", "-Djava.awt.headless=true", "-cp", "gitblit.jar:ext/*", "com.gitblit.GitBlitServer", "--baseFolder", "/var/opt/gitblit/etc"]
+
+COPY docker-entrypoint.sh /usr/local/bin/
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# 8080:  HTTP front-end and transport
+# 8443:  HTTPS front-end and transport
+# 9418:  Git protocol transport
+# 29418: SSH transport
+EXPOSE 8080 8443 9418 29418
+CMD ["gitblit"]
diff --git a/Dockerfile.alpine b/Dockerfile.alpine
@@ -3,24 +3,39 @@ FROM openjdk:8-jre-alpine
 ENV GITBLIT_VERSION 1.9.0
 ENV GITBLIT_DOWNLOAD_SHA 349302ded75edfed98f498576861210c0fe205a8721a254be65cdc3d8cdd76f1
 
+# add our user and group first to make sure their IDs get assigned consistently, regardless of whatever packages get added
+RUN addgroup -S -g 8117 gitblit && adduser -S -H -G gitblit -u 8117 -h /opt/gitblit gitblit
+
+
 LABEL maintainer="James Moger <james.moger@gitblit.com>, Florian Zschocke <f.zschocke+gitblit@gmail.com>" \
       org.label-schema.schema-version="1.0" \
       org.label-schema.version="${GITBLIT_VERSION}"
 
 
 ENV GITBLIT_DOWNLOAD_URL https://github.com/gitblit/gitblit/releases/download/v${GITBLIT_VERSION}/gitblit-${GITBLIT_VERSION}.tar.gz
 
-
-
-
-
-# Download and install Gitblit
+# Install su-exec to step down from root
 RUN set -eux; \
+    apk add --no-cache \
+        'su-exec>=0.2' \
+        ; \
+    \
+    \
+# Download and install Gitblit
     wget -nv -O gitblit.tar.gz ${GITBLIT_DOWNLOAD_URL} ; \
     echo "${GITBLIT_DOWNLOAD_SHA} *gitblit.tar.gz" | sha256sum -c - ; \
     mkdir -p /opt/gitblit ; \
     tar xzf gitblit.tar.gz -C /opt/gitblit --strip-components 1 ; \
-    rm -f gitblit.tar.gz ;
+    rm -f gitblit.tar.gz ; \
+# Remove unneeded scripts.
+    rm -f /opt/gitblit/install-service-*.sh ; \
+    rm -r /opt/gitblit/service-*.sh ; \
+    \
+# Change shell to 'sh' for Alpine
+    for file in /opt/gitblit/*.sh ; do \
+        sed -i -e 's;bin/bash;bin/sh;' $file ; \
+    done
+
 
 
 ENV GITBLIT_VAR /var/opt/gitblit
@@ -29,7 +44,7 @@ ENV GITBLIT_VAR /var/opt/gitblit
 RUN set -eux ; \
     gbetc=$GITBLIT_VAR/etc ; \
     gbsrv=$GITBLIT_VAR/srv ; \
-    mkdir -p -m 0770 $gbsrv ; \
+    mkdir -p -m 0750 $gbsrv ; \
     mv /opt/gitblit/data/git $gbsrv ; \
     ln -s $gbsrv/git /opt/gitblit/data/git ; \
     mv /opt/gitblit/data $gbetc ; \
@@ -126,26 +141,35 @@ include = gitblit-docker.properties\n\
 ''#\n\
 \n' > $gbetc/gitblit.properties ; \
     \
-# Remove unneeded scripts.
-    rm -f /opt/gitblit/install-service-*.sh ; \
-    rm -r /opt/gitblit/service-*.sh ;
-
+    \
+# Change ownership to gitblit user for all files that the process needs to write
+    chown -R gitblit:gitblit $GITBLIT_VAR ; \
+# Set file permissions so that gitblit can read all and others cannot mess up
+# or read private data
+    chmod -R o-rwx $gbsrv ; \
+    chmod -R u+rwxs $gbsrv $gbsrv/git ; \
+    chmod -R u+rwxs $gbetc ; \
+    chmod -R o-rwx $gbetc ; \
+    chmod ug=r $gbetc/defaults.properties ; \
+    chmod g-w $gbetc/gitblit-docker.properties ; \
+    chmod 0644 $gbetc/gitblit.properties ;
 
-# Change shell to 'sh' for Alpine
-RUN set -eux ; \
-    for file in /opt/gitblit/*.sh ; do \
-        sed -i -e 's;bin/bash;bin/sh;' $file ; \
-    done
 
 
 # Setup the Docker container environment
 ENV PATH /opt/gitblit:$PATH
 
 WORKDIR /opt/gitblit
 
-EXPOSE 8080 8443 9418 29418
-
 VOLUME $GITBLIT_VAR
 
-# run application
-CMD ["java", "-server", "-Xmx1024M", "-Djava.awt.headless=true", "-cp", "gitblit.jar:ext/*", "com.gitblit.GitBlitServer", "--baseFolder", "/var/opt/gitblit/etc"]
+
+COPY docker-entrypoint.sh /usr/local/bin/
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# 8080:  HTTP front-end and transport
+# 8443:  HTTPS front-end and transport
+# 9418:  Git protocol transport
+# 29418: SSH transport
+EXPOSE 8080 8443 9418 29418
+CMD ["gitblit"]
diff --git a/README.md b/README.md
@@ -39,6 +39,10 @@ The Gitblit image stores data under `/var/opt/gitblit`. A Docker volume is defin
 so that data is stored persistently and efficiently. The data is split into a subfolder for
 configuration data (`etc/`) and one for repository data (`srv/`).
 
+### User id
+
+The gitblit server is run under the user and group id `8117`, assigned to the user `gitblit`.
+
 
 ## Build Instructions
 
@@ -52,7 +56,7 @@ git clone https://github.com/gitblit/gitblit-docker.git
 ### Build your Docker container
 ```
 cd gitblit-docker
-sudo docker build -t my-gitblit - < Dockerfile
+sudo docker build -t my-gitblit .
 ```
 
 ### Run your Gitblit container and setup localhost port-forwarding (*-p localhost:container*)
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
@@ -0,0 +1,45 @@
+#!/bin/sh
+set -e
+
+gitblit_path=/opt/gitblit
+gitblit="java -server -Xmx1024M -Djava.awt.headless=true -cp ${gitblit_path}/gitblit.jar:${gitblit_path}/ext/* com.gitblit.GitBlitServer"
+
+
+# use gosu or su-exec to step down from root
+runas ()
+{
+    command -v su-exec > /dev/null && exec su-exec "$@"
+
+    command -v gosu > /dev/null && exec gosu "$@"
+
+    echo "Could not find any program to drop root priviledges. Exiting."
+    exit 1
+}
+
+
+
+# check if arguments are cmdline parameters. then we start gitblit with these parameters.
+# first arg is --option or -something
+if [ "${1#-}" != "$1" ] ; then
+    set -- gitblit "$@"
+fi
+
+
+# if we should run gitblit, replace with the java command
+if [ "$1" = 'gitblit' ]; then
+	shift
+	# if no base folder is given, set the one in our docker default
+	baseFolder=
+	echo "$*" | grep -q -- "--baseFolder" || baseFolder="--baseFolder $GITBLIT_VAR/etc"
+    set -- $gitblit $baseFolder "$@"
+
+
+    # allow the container to be started with `--user`
+    if [ "$(id -u)" = '0' ]; then
+        runas gitblit "$@"
+    fi
+fi
+
+
+# either run gitblit, if started with --user, or whatever else was given as a command
+exec  "$@"
diff --git a/hub-readme.md b/hub-readme.md
@@ -105,6 +105,16 @@ $ sudo docker run -d --name gitblit --tmpfs /var/opt/gitblit/temp -p 8443:8443 g
 ```
 
 
+## User and group id
+
+Since image version 1.9.0-3 the gitblit process will be started as a non privileged user. The user id and group id used by the images are both `8117`.
+
+```console
+$ docker run -it --rm gitblit id gitblit
+uid=8117(gitblit) gid=8117(gitblit) groups=8117(gitblit)
+```
+
+
 
 # Image Variants
 The `gitblit/gitblit` images come in multiple flavors, each designed for a specific use case.
