feat(security): run security-bootstrapper executeable as $$EDGEX_USER

the executeable with $$@ runs as non-root user, $$EDGEX_USER Signed-off-by: Jim Wang <[email protected]>
edgexfoundry · Jan 12, 2021 · 1fe9c57 · 1fe9c57
1 parent ae5846b
commit 1fe9c57
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 9 deletions.
diff --git a/cmd/security-bootstrapper/Dockerfile b/cmd/security-bootstrapper/Dockerfile
@@ -37,7 +37,7 @@ RUN make cmd/security-bootstrapper/security-bootstrapper \
 
 FROM alpine:3.12
 
-RUN apk add --update --no-cache dumb-init openssl
+RUN apk add --update --no-cache dumb-init openssl su-exec
 
 LABEL license='SPDX-License-Identifier: Apache-2.0' \
       copyright='Copyright (c) 2021 Intel Corporation'

diff --git a/cmd/security-bootstrapper/entrypoint.sh b/cmd/security-bootstrapper/entrypoint.sh
@@ -31,10 +31,9 @@ trim_spaces()
 }
 
 # Passing the arguments to the executable as $@ contains only the CMD arguments without the executable name
-# treat anything without /bin/ as to run this security-bootstrapper executable with the arguments
-# this is useful for debugging the container like running with `docker exec -it security-bootstrapper /bin/sh`
-# so that it won't accidentally to execute all other unintended things
-if [ ! "${1:0:1}" = '/bin/' ]; then
+# treat anything not /bin/sh as to run this security-bootstrapper executable with the arguments
+# this is useful for debugging the container like running with `docker run -it --rm security-bootstrapper /bin/sh`
+if [ ! "$1" = '/bin/sh' ]; then
     set -- security-bootstrapper "$@"
 fi
 
@@ -130,6 +129,7 @@ EDGEX_VAULT_PORT=${SECRETSTORE_PORT:-$DEFAULT_EDGEX_VAULT_PORT}
 KONG_HOST="${API_GATEWAY_HOST:-$DEFAULT_API_GATEWAY_HOST}"
 KONG_STATUS_PORT=${API_GATEWAY_STATUS_PORT:-$DEFAULT_API_GATEWAY_STATUS_PORT}
 GATING_WAIT_TIMEOUT="${SECTY_BOOTSTRAP_GATING_TIMEOUT_DURATION:-$DEFAULT_SECTY_BOOTSTRAP_GATING_TIMEOUT_DURATION}"
+EDGEX_USER_ID=${EDGEX_USER:-2002}
 VAULT_ENV_FILE=.env-vault
 VAULT_WORKER_ENV_FILE=.env-vault-worker
 CONSUL_ENV_FILE=.env-consul
@@ -222,11 +222,12 @@ REDIS_PORT=${redis_port_number}
 WAIT_TIMEOUT_DURATION="${GATING_WAIT_TIMEOUT}"
 EOL
 
+  # run the executable as ${EDGEX_USER}
   echo "Executing ./$@"
-  exec ./"$@"
+  exec su-exec ${EDGEX_USER_ID} "./$@"
 
 else
-  # for debug purposes like docker exec -it security-bootstrapper:0.0.0-dev /bin/sh
+  # for debug purposes like docker run -it --rm security-bootstrapper:0.0.0-dev /bin/sh
   echo "current directory:" "$PWD"
-  exec "$@"
+  exec su-exec ${EDGEX_USER_ID} "$@"
 fi
diff --git a/cmd/security-secretstore-setup/entrypoint.sh b/cmd/security-secretstore-setup/entrypoint.sh
@@ -33,7 +33,7 @@ fi
 # /tmp/edgex/secrets need to be shared with all other services that need secrets and
 # thus change the ownership to EDGEX_USER:EDGEX_GROUP
 echo "$(date) Changing ownership of secrets to ${EDGEX_USER}:${EDGEX_GROUP}"
-chown -R ${EDGEX_USER}:${EDGEX_GROUP} /tmp/edgex/secrets
+chown -Rh ${EDGEX_USER}:${EDGEX_GROUP} /tmp/edgex/secrets
 
 # signal tokens ready port
 # in a forever loop so that it keeps listening all the times