mirror of
https://github.com/freedomofpress/dangerzone.git
synced 2025-04-28 18:02:38 +02:00
running dangerzone without root in container
There was previously a user created in the container but it was not used via the dockerfile RUN directive (as pointed out by gmarmstrong[1]). Fixes #169 [1]: https://github.com/freedomofpress/dangerzone/issues/169#issue-1268399245
This commit is contained in:
deeplow
parent
2d4bad680e
commit
21a9a6c98c
2 changed files with 5 additions and 1 deletions
|
|
@ -91,7 +91,8 @@ COPY dangerzone.py /usr/local/bin/
|
|||
RUN chmod +x /usr/local/bin/dangerzone.py
|
||||
|
||||
# Add the unprivileged user
|
||||
RUN adduser -h /home/user -s /bin/sh -D user
|
||||
RUN adduser -s /bin/sh -D dangerzone
|
||||
USER dangerzone
|
||||
|
||||
# /tmp/input_file is where the first convert expects the input file to be, and
|
||||
# /tmp where it will write the pixel files
|
||||
|
|
|
|||
|
|
@ -85,11 +85,13 @@ def convert(input_filename, output_filename, ocr_lang, stdout_callback):
|
|||
# drop all linux kernel capabilities
|
||||
security_args += ["--cap-drop", "all"]
|
||||
|
||||
user_args = ["-u", "dangerzone"]
|
||||
|
||||
# Convert document to pixels
|
||||
args = (
|
||||
["run", "--network", "none"]
|
||||
+ platform_args
|
||||
+ user_args
|
||||
+ security_args
|
||||
+ [
|
||||
"-v",
|
||||
|
|
@ -113,6 +115,7 @@ def convert(input_filename, output_filename, ocr_lang, stdout_callback):
|
|||
["run", "--network", "none"]
|
||||
+ platform_args
|
||||
+ security_args
|
||||
+ user_args
|
||||
+ [
|
||||
"-v",
|
||||
f"{pixel_dir}:/dangerzone",
|
||||
|
|
|
|||
Loading…
Reference in a new issue