From 7ef580fcf52fb27cd414b5f9486366c18fae3b48 Mon Sep 17 00:00:00 2001 From: Geoff Thomas Date: Fri, 6 Feb 2026 11:57:01 +0000 Subject: [PATCH 1/2] Update Dockerfiles to not require root permissions --- Dockerfile.nipapd | 8 ++++++++ Dockerfile.www | 14 +++++++++++++- nipap-www/entrypoint.sh | 2 +- 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/Dockerfile.nipapd b/Dockerfile.nipapd index a82f8cf57..29a81dbdb 100644 --- a/Dockerfile.nipapd +++ b/Dockerfile.nipapd @@ -69,7 +69,15 @@ WORKDIR /nipap RUN pip3 --no-input install --break-system-packages --no-cache-dir envtpl==0.7.2 \ && pip3 --no-input install -I --break-system-packages --no-cache-dir '.[instrumentation,ldap_auth]' +# Create non-root user and set up directories with correct permissions +RUN groupadd -r -g 10000 nipap && useradd -r -u 10000 -g nipap nipap \ + && mkdir -p /etc/nipap \ + && chown -R nipap:nipap /etc/nipap \ + && chown -R nipap:nipap /nipap + EXPOSE 1337 ENV LISTEN_ADDRESS=0.0.0.0 LISTEN_PORT=1337 SYSLOG=false DB_PORT=5432 DB_SSLMODE=disable DB_NAME=nipap +USER nipap + ENTRYPOINT ["/nipap/entrypoint.sh"] diff --git a/Dockerfile.www b/Dockerfile.www index 7d16fa9da..d4d9ec207 100644 --- a/Dockerfile.www +++ b/Dockerfile.www @@ -68,7 +68,19 @@ RUN pip3 --no-input install --break-system-packages --no-cache-dir ./pynipap/ && pip3 --no-input install --break-system-packages --no-cache-dir './nipap-www/[instrumentation,ldap_auth]' && \ mkdir -p /etc/nipap/www/ && cp ./nipap-www/nipap-www.wsgi /etc/nipap/www/ -EXPOSE 80 +# Create non-root user and configure Apache to run as non-root on port 8080 +RUN groupadd -r -g 10000 nipap && useradd -r -u 10000 -g nipap nipap \ + && mkdir -p /var/run/apache2 /var/lock/apache2 /var/log/apache2 \ + && chown -R nipap:nipap /var/run/apache2 /var/lock/apache2 /var/log/apache2 \ + && chown -R nipap:nipap /etc/nipap \ + && chown -R nipap:nipap /nipap-www \ + && chown -R nipap:nipap /etc/apache2 \ + && sed -i 's/Listen 80/Listen 8080/' /etc/apache2/ports.conf \ + && sed -i 's/:80/:8080/' /etc/apache2/sites-available/000-default.conf + +EXPOSE 8080 VOLUME [ "/var/log/apache2" ] +USER nipap + ENTRYPOINT [ "/nipap-www/entrypoint.sh" ] diff --git a/nipap-www/entrypoint.sh b/nipap-www/entrypoint.sh index d5a878e01..d1a2afb63 100755 --- a/nipap-www/entrypoint.sh +++ b/nipap-www/entrypoint.sh @@ -20,7 +20,7 @@ fi # Configure apache cat << EOF > /etc/apache2/sites-available/000-default.conf - + WSGIScriptAlias / /etc/nipap/www/nipap-www.wsgi ErrorLog \${APACHE_LOG_DIR}/error.log CustomLog \${APACHE_LOG_DIR}/access.log combined From 9797f7686fb13d5d94e622b06cf096e46e979dd0 Mon Sep 17 00:00:00 2001 From: Geoff Thomas Date: Mon, 16 Feb 2026 14:06:18 +0000 Subject: [PATCH 2/2] Set group explicitly --- Dockerfile.nipapd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.nipapd b/Dockerfile.nipapd index 29a81dbdb..47f919e71 100644 --- a/Dockerfile.nipapd +++ b/Dockerfile.nipapd @@ -78,6 +78,6 @@ RUN groupadd -r -g 10000 nipap && useradd -r -u 10000 -g nipap nipap \ EXPOSE 1337 ENV LISTEN_ADDRESS=0.0.0.0 LISTEN_PORT=1337 SYSLOG=false DB_PORT=5432 DB_SSLMODE=disable DB_NAME=nipap -USER nipap +USER nipap:nipap ENTRYPOINT ["/nipap/entrypoint.sh"]