Allow setting the UID and GID of clamav at runtime #12
Conversation
If CLAMAV_UID/CLAMAV_GID are set, the userid and/or groupid of the clamav user is updated on startup. This can be helfull to gain the correct access rights on scandir mounts.
There was a problem hiding this comment.
In addition to my concern about the shadow dependency -- I'm slightly concerned that this will make it more difficult for us to add a variation of the image that is rootless and automatically runs as the clamav user. It's probably fine and we'd just have to note in documentation somewhere that the CLAMAV_UID and CLAMAV_GID options only apply to the version that starts as root.
That ties into a second concern that will need to document this option. If you're able to contribute documentation for these new options to:
- the readme in this repository
- https://github.com/Cisco-Talos/clamav-documentation/blob/main/src/manual/Installing/Docker.md that will help.
Finally, if you could add this same change to the docker-entrypoint.sh scripts under clamav/unstable, that would be great.
You may also wish to add it to the 0.105 variant, but I imagine most people are moving to the 1.0+ images. So I don't really mind either way.
| @@ -35,6 +35,7 @@ RUN apk update && apk upgrade \ | |||
| # For building static libraries with Mussels | |||
| git \ | |||
| patchelf \ | |||
| shadow \ | |||
There was a problem hiding this comment.
It doesn't seem like this needs to be added to the first image (the "builder" image) as the entrypoint script is based on the second image.
If CLAMAV_UID/CLAMAV_GID are set, the userid and/or groupid of the clamav user is updated on startup. This can be helfull to gain the correct access rights on scandir mounts.