Skip to content

Run as a non-root user#69

Open
yo8192 wants to merge 8 commits intoshenxn:masterfrom
yo8192:master
Open

Run as a non-root user#69
yo8192 wants to merge 8 commits intoshenxn:masterfrom
yo8192:master

Conversation

@yo8192
Copy link
Copy Markdown

@yo8192 yo8192 commented Dec 3, 2022

This is a best security practice for Docker images.

yo8192 and others added 6 commits July 25, 2021 17:42
@yo8192
run as non-root in docker
07d1004
@yo8192
Merge pull request #1 from shenxn/master
298bacb 
Update from shenxn/protonmail-bridge-docker
@yo8192
Run as non-root for higher security
bc9f9b0 
It is best security practice to run the process in docker as non-root.
@yo8192
Docker build from ubuntu:jammy to fix glibc error.
a6c2c97
@yo8192 @actions-user
Sync from origin. (#3)
c875aa8 
* Bump build version to 3.0.5

* Bump build version to 3.0.6

* Bump build version to 3.0.7

Co-authored-by: GitHub Actions <actions@github.com>
@yo8192
Improved user info message in entrypoint.sh.
fa08ca0
@shenxn
Copy link
Copy Markdown
Owner

shenxn commented Jan 14, 2023

Yes. This is definitely a good idea but it is going to be a breaking change. I'll hold this change and see what we can do to make sure existing users are happy with this.

olivervhansen added a commit to olivervhansen/protonmail-bridge-docker that referenced this pull request Jun 6, 2023
@olivervhansen
Add PR shenxn#69 from upstream
44fbc26
olivervhansen added a commit to olivervhansen/protonmail-bridge-docker that referenced this pull request Jun 6, 2023
@olivervhansen
Update deb dockerfile and entrypoint like PR shenxn#69 from upstream
26aae56
@mark-monteiro
Copy link
Copy Markdown
Contributor

mark-monteiro commented Jan 3, 2024

It would be ideal if the user/group id used was configurable (i.e. via environment variables UID and GID).

This would also be a good route to maintaining backwards compatibility. If neither value is set, the default is to run as root.

@yo8192 @actions-user
@sgtaziz @dngray
Merge from upstream (#4)
69f65ed 
* Bump build version to 3.0.10

* Bump build version to 3.0.12

* Bump build version to 3.0.14

* Bump build version to 3.0.15

* Bump build version to 3.0.16

* Bump deb version to 3.0.17-1

* Bump build version to 3.0.18

* Bump deb version to 3.0.19-1

* Bump build version to 3.0.19

* Bump deb version to 3.0.20-1

* Bump build version to 3.0.20

* Update Ubuntu tag for deb to fix GLIBC dependency (shenxn#80)

GLIBC dependency issue highlighted in
shenxn#79 is caused
by v3 of the bridge not supporting bionic. This PR simply updates the
"deb" version to match the "build" version which is already on
ubuntu:jammy.

* Bump deb version to 3.0.21-1

* Bump build version to 3.0.21

* Bump build version to 3.1.0

* Bump build version to 3.1.1

* Bump deb version to 3.1.2-1

* Bump build version to 3.1.2

* Add a docker compose file (shenxn#70)

It's quite the norm to include a docker-compose file, generally in the
README or the root for people to copy and modify. For example as
https://github.com/wfg/docker-openvpn-client has done so.

If there are [Environmental
variables](https://github.com/wfg/docker-openvpn-client#environment-variables),
they should also be documented - in this case there isn't.

* Bump deb version to 3.1.3-1

* Bump build version to 3.1.3

* Bump build version to 3.2.0

* Bump deb version to 3.2.0-1

* Bump build version to 3.3.0

* Bump deb version to 3.3.0-1

* Bump build version to 3.3.1

* Bump deb version to 3.3.2-1

* Bump build version to 3.3.2

* Bump build version to 3.4.0

* Bump build version to 3.4.1

* Bump build version to 3.4.2

* Bump build version to 3.5.0

* Bump deb version to 3.4.2-1

* Bump build version to 3.5.1

* Bump deb version to 3.5.1-1

* Bump deb version to 3.4.2-1

* Bump build version to 3.5.2

* Bump deb version to 3.5.3-1

* Bump build version to 3.5.3

* Bump build version to 3.6.0

* Bump deb version to 3.5.4-1

* Bump build version to 3.6.1

* Bump deb version to 3.6.1-2

* Bump build version to 3.7.0

* Bump build version to 3.7.1

* Bump deb version to 3.7.1-1

* Bump build version to 3.8.0

* Bump build version to 3.8.1

* Bump deb version to 3.8.1-1

* Bump build version to 3.9.0

* Bump deb version to 3.8.2-1

---------

Co-authored-by: GitHub Actions <actions@github.com>
Co-authored-by: Aziz Hasanain <sgtaziz013@gmail.com>
Co-authored-by: Daniel Nathan Gray <dng@disroot.org>
@simonfelding simonfelding mentioned this pull request Dec 6, 2024
Open
@simonfelding
Copy link
Copy Markdown
Collaborator

simonfelding commented Feb 15, 2025

Hey @yo8192 and @mark-monteiro - @shenxn gave me maintainer access to this repo, so we can work on solving this now.

Agree this is best practice and a priority. However, this solution is problematic because it changes paths around, which is not very practical. I think we should work on making a more backwards compatible solution - see my PR #110, which I'm going to continue working on. I'm going to keep this PR open for now, but I don't think we should continue with this exact solution.

@xbc5
Copy link
Copy Markdown

xbc5 commented Apr 21, 2025

It would be nice if you could expedite this.

@thiswillbeyourgithub thiswillbeyourgithub mentioned this pull request Jun 17, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

Run the container in rootless mode

Development

Successfully merging this pull request may close these issues.

5 participants

@yo8192 @shenxn @mark-monteiro @simonfelding @xbc5