From 80b5873a2634f40165de6e6a4cd29dc34ea3013e Mon Sep 17 00:00:00 2001 From: Karl Skewes Date: Tue, 5 Mar 2019 21:26:49 +1300 Subject: [PATCH 1/2] Potentially breaking change: docker user & group Run as non-root user and group In the unlikely event that you are currently persisting data to disk then this change may break file read/write access due to a change in the UID/GID that the oauth2_proxy process runs as. Run as non-root system user and group `oauth2proxy` with UID/GID `2000` to avoid clashing with typical local users. An alternative to creating a separate user is to ~~chown binary and~~ run as `USER nobody`, which also works, can amend this PR if required. Least access privileges. Close: https://github.com/pusher/oauth2_proxy/issues/78 Locally with Docker (`-version`): ``` $ ps aux | grep oauth2 2000 25192 6.0 0.0 0 0 ? Ds 15:53 0:00 [oauth2_proxy] ``` Running in Kubernetes 1.13 with the following also specified: ``` securityContext: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 10001 ``` ``` $ kubectl exec -it -n oauth2-proxy oauth2-proxy-85c9f58ffc-dz9lr sh /opt $ whoami whoami: unknown uid 10001 /opt $ ps aux PID USER TIME COMMAND 1 10001 0:00 /opt/oauth2_proxy --whitelist-domain=.example.com --cookie-domain=example.com --email-domain=example.com --upstream=file:///dev/null --http-address=0.0.0.0:4180 11 10001 0:00 sh 17 10001 0:00 ps aux ``` - [x] My change requires a change to the documentation or CHANGELOG. - [x] I have updated the documentation/CHANGELOG accordingly. - [x] I have created a feature (non-master) branch for my PR. --- CHANGELOG.md | 1 + Dockerfile | 3 +++ Dockerfile.arm64 | 3 +++ Dockerfile.armv6 | 3 +++ 4 files changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d98b209..6dc720f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## Changes since v3.1.0 +- [#85](https://github.com/pusher/oauth2_proxy/pull/85) Potentially breaking change: docker user & group (@kskewes) - [#68](https://github.com/pusher/oauth2_proxy/pull/68) forward X-Auth-Access-Token header (@davidholsgrove) # v3.1.0 diff --git a/Dockerfile b/Dockerfile index 126ce40..2373897 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,4 +19,7 @@ FROM alpine:3.8 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt COPY --from=builder /go/src/github.com/pusher/oauth2_proxy/oauth2_proxy /bin/oauth2_proxy +RUN addgroup -S -g 2000 oauth2proxy && adduser -S -u 2000 oauth2proxy -G oauth2proxy +USER oauth2proxy + ENTRYPOINT ["/bin/oauth2_proxy"] diff --git a/Dockerfile.arm64 b/Dockerfile.arm64 index 4a8dc7d..5abd9bb 100644 --- a/Dockerfile.arm64 +++ b/Dockerfile.arm64 @@ -19,4 +19,7 @@ FROM arm64v8/alpine:3.8 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt COPY --from=builder /go/src/github.com/pusher/oauth2_proxy/oauth2_proxy /bin/oauth2_proxy +RUN addgroup -S -g 2000 oauth2proxy && adduser -S -u 2000 oauth2proxy -G oauth2proxy +USER oauth2proxy + ENTRYPOINT ["/bin/oauth2_proxy"] diff --git a/Dockerfile.armv6 b/Dockerfile.armv6 index 5f7f7af..d51f16d 100644 --- a/Dockerfile.armv6 +++ b/Dockerfile.armv6 @@ -19,4 +19,7 @@ FROM arm32v6/alpine:3.8 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt COPY --from=builder /go/src/github.com/pusher/oauth2_proxy/oauth2_proxy /bin/oauth2_proxy +RUN addgroup -S -g 2000 oauth2proxy && adduser -S -u 2000 oauth2proxy -G oauth2proxy +USER oauth2proxy + ENTRYPOINT ["/bin/oauth2_proxy"] From bfccc1f2616ee0b78a402b42aa7f56757b6b78ac Mon Sep 17 00:00:00 2001 From: Joel Speed Date: Tue, 5 Mar 2019 11:42:11 -0800 Subject: [PATCH 2/2] Update CHANGELOG.md Co-Authored-By: kskewes --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6dc720f..d932557 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ ## Changes since v3.1.0 -- [#85](https://github.com/pusher/oauth2_proxy/pull/85) Potentially breaking change: docker user & group (@kskewes) +- [#85](https://github.com/pusher/oauth2_proxy/pull/85) Use non-root user in docker images (@kskewes) - [#68](https://github.com/pusher/oauth2_proxy/pull/68) forward X-Auth-Access-Token header (@davidholsgrove) # v3.1.0