Mastodon workers running as root in Docker containers

[q3k]

The current Dockerfile and docker-compose setup makes the Mastodon workers run as root in containers.

This is ill-advised [1] and unnecessary [2]. Running as root reduced the effort required to escape from the container to the host of the machine.

[1] - http://blog.dscpl.com.au/2015/12/don-run-as-root-inside-of-docker.html
[2] - https://docs.docker.com/engine/security/security/

---

• I searched or browsed the repo’s other issues to ensure this is not a duplicate.
• This bug happens on a tagged release and not on master (If you're a user, don't worry about this).

[Wonderfall]

I opened a thread about it : https://social.targaryen.house/users/wonderfall/updates/47013
You're absolutely right and we should do something right now, before 1.4 is released. Too many people are using Docker without knowing it doesn't isolate much (by default). That's why, @Gargron, I suggest to add this issue to the 1.4 roadmap. I can PR something but as there are several ways to do it, let's agree on one. Mine below.

So my proposition in particular :

• Add 2 environment variables to the Dockerfile : UID and GID.
• Add an entrypoint script :

#!/bin/sh
chown -R $UID:$GID /mastodon
su-exec $UID:$GID tini -- "$@"

This change should be transparent, but we should update the documentation to documentate the environment variables. If you're okay with that, I'll do something without any further waiting.