Merge pull request #1025 from seriva/fix/epicli-user

- Added user to Epicli to fix security issues, reported externally and by Lukasz a while back (#624) - Bumped version to 0.6.0
hitachienergy · Mar 17, 2020 · bf4fe49 · bf4fe49
2 parents e7278dc + 2aea101
commit bf4fe49
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 3 deletions.
diff --git a/CHANGELOG-0.6.md b/CHANGELOG-0.6.md
@@ -9,4 +9,6 @@
 - [#656](https://github.com/epiphany-platform/epiphany/issues/656) - Add logrotation to kafka by size
 - [#1016](https://github.com/epiphany-platform/epiphany/issues/1016) - Disable verify , backup and recovery as they are not fully implemented
 
-### Fixed
+### Fixed
+
+- [#624](https://github.com/epiphany-platform/epiphany/issues/624) - Don't run epicli as root in container
diff --git a/core/src/epicli/Dockerfile-debian b/core/src/epicli/Dockerfile-debian
@@ -2,17 +2,34 @@ FROM python:3.7-slim
 
 ARG EPICLI_VERSION
 
+ARG USERNAME=epiuser
+ARG USER_UID=1000
+ARG USER_GID=$USER_UID
+
 ENV DOCKER_CLI Yes
 
 COPY /dist/ /epicli
 WORKDIR /epicli
 
 RUN apt-get update \
-    && apt-get -y install gcc make musl-dev libffi-dev tar unzip openssh-client vim
+    && apt-get -y install gcc make musl-dev libffi-dev tar unzip openssh-client vim  
 
 RUN pip install epicli-${EPICLI_VERSION}-py3-none-any.whl
 
+RUN groupadd --gid $USER_GID $USERNAME \
+    && useradd -s /bin/bash --uid $USER_UID --gid $USER_GID -m $USERNAME \
+    && apt-get install -y sudo \
+
+    && echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME \
+    && chmod 0440 /etc/sudoers.d/$USERNAME \   
+
+    && apt-get autoremove -y \
+    && apt-get clean -y \
+    && rm -rf /var/lib/apt/lists/*   
+
 RUN mkdir /shared/
 WORKDIR /shared
 
+USER $USERNAME
+
 ENTRYPOINT ["/bin/bash"]
diff --git a/core/src/epicli/cli/version.txt.py b/core/src/epicli/cli/version.txt.py
@@ -1 +1 @@
-0.5.3
+0.6.0