From 80b5873a2634f40165de6e6a4cd29dc34ea3013e Mon Sep 17 00:00:00 2001
From: Karl Skewes <karl.skewes@gmail.com>
Date: Tue, 5 Mar 2019 21:26:49 +1300
Subject: [PATCH 1/2] Potentially breaking change: docker user & group

Run as non-root user and group

In the unlikely event that you are currently persisting data to disk then this
change may break file read/write access due to a change in the UID/GID that the
oauth2_proxy process runs as.

Run as non-root system user and group `oauth2proxy` with UID/GID `2000` to avoid clashing with typical local users.
An alternative to creating a separate user is to ~~chown binary and~~ run as `USER nobody`, which also works, can amend this PR if required.

Least access privileges.
Close: https://github.com/pusher/oauth2_proxy/issues/78

Locally with Docker (`-version`):
```
$ ps aux | grep oauth2
2000     25192  6.0  0.0      0     0 ?        Ds   15:53   0:00 [oauth2_proxy]
```

Running in Kubernetes 1.13 with the following also specified:
```
        securityContext:
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 10001
```
```
$ kubectl exec -it -n oauth2-proxy oauth2-proxy-85c9f58ffc-dz9lr sh
/opt $ whoami
whoami: unknown uid 10001
/opt $ ps aux
PID   USER     TIME  COMMAND
    1 10001     0:00 /opt/oauth2_proxy --whitelist-domain=.example.com --cookie-domain=example.com --email-domain=example.com --upstream=file:///dev/null --http-address=0.0.0.0:4180
   11 10001     0:00 sh
   17 10001     0:00 ps aux
```

<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->

- [x] My change requires a change to the documentation or CHANGELOG.
- [x] I have updated the documentation/CHANGELOG accordingly.
- [x] I have created a feature (non-master) branch for my PR.
---
 CHANGELOG.md     | 1 +
 Dockerfile       | 3 +++
 Dockerfile.arm64 | 3 +++
 Dockerfile.armv6 | 3 +++
 4 files changed, 10 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d98b209..6dc720f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 ## Changes since v3.1.0
 
+- [#85](https://github.com/pusher/oauth2_proxy/pull/85) Potentially breaking change: docker user & group (@kskewes)
 - [#68](https://github.com/pusher/oauth2_proxy/pull/68) forward X-Auth-Access-Token header (@davidholsgrove)
 
 # v3.1.0
diff --git a/Dockerfile b/Dockerfile
index 126ce40..2373897 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -19,4 +19,7 @@ FROM alpine:3.8
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=builder /go/src/github.com/pusher/oauth2_proxy/oauth2_proxy /bin/oauth2_proxy
 
+RUN addgroup -S -g 2000 oauth2proxy && adduser -S -u 2000 oauth2proxy -G oauth2proxy
+USER oauth2proxy
+
 ENTRYPOINT ["/bin/oauth2_proxy"]
diff --git a/Dockerfile.arm64 b/Dockerfile.arm64
index 4a8dc7d..5abd9bb 100644
--- a/Dockerfile.arm64
+++ b/Dockerfile.arm64
@@ -19,4 +19,7 @@ FROM arm64v8/alpine:3.8
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=builder /go/src/github.com/pusher/oauth2_proxy/oauth2_proxy /bin/oauth2_proxy
 
+RUN addgroup -S -g 2000 oauth2proxy && adduser -S -u 2000 oauth2proxy -G oauth2proxy
+USER oauth2proxy
+
 ENTRYPOINT ["/bin/oauth2_proxy"]
diff --git a/Dockerfile.armv6 b/Dockerfile.armv6
index 5f7f7af..d51f16d 100644
--- a/Dockerfile.armv6
+++ b/Dockerfile.armv6
@@ -19,4 +19,7 @@ FROM arm32v6/alpine:3.8
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=builder /go/src/github.com/pusher/oauth2_proxy/oauth2_proxy /bin/oauth2_proxy
 
+RUN addgroup -S -g 2000 oauth2proxy && adduser -S -u 2000 oauth2proxy -G oauth2proxy
+USER oauth2proxy
+
 ENTRYPOINT ["/bin/oauth2_proxy"]

From bfccc1f2616ee0b78a402b42aa7f56757b6b78ac Mon Sep 17 00:00:00 2001
From: Joel Speed <Joel.speed@hotmail.co.uk>
Date: Tue, 5 Mar 2019 11:42:11 -0800
Subject: [PATCH 2/2] Update CHANGELOG.md

Co-Authored-By: kskewes <karl.skewes@gmail.com>
---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6dc720f..d932557 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,7 +2,7 @@
 
 ## Changes since v3.1.0
 
-- [#85](https://github.com/pusher/oauth2_proxy/pull/85) Potentially breaking change: docker user & group (@kskewes)
+- [#85](https://github.com/pusher/oauth2_proxy/pull/85) Use non-root user in docker images (@kskewes)
 - [#68](https://github.com/pusher/oauth2_proxy/pull/68) forward X-Auth-Access-Token header (@davidholsgrove)
 
 # v3.1.0