Merge pull request #87 from awerlang/patch-1

Improve general security
farribeiro · Jul 23, 2020 · 25da6b6 · 25da6b6
2 parents ecd72f5 + 0b21aac
commit 25da6b6
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 40 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -11,8 +11,6 @@ ENV GUID=1000
 
 ENV LANG="pt_BR.UTF-8 UTF-8"
 
-COPY startup.sh /home/ff/
-
 RUN apt-get update && \
 	apt-get install -y --no-install-recommends \
 		locales \
@@ -26,7 +24,6 @@ RUN apt-get update && \
 		python-gpg \
 		python-openssl \
 		python3 \
-		sudo \
 		xauth \
 		zenity
 	# Setup locale
@@ -37,22 +34,22 @@ RUN mkdir -p /src
 ADD https://cloud.gastecnologia.com.br/gas/diagnostico/warsaw_setup_64.deb /src/GBPCEFwr64.deb
 	# Configuring the environment
 RUN mkdir -p /home/${USER} \
-	&& chmod 744 /home/ff/startup.sh \
 	&& groupadd -g ${GUID} -r ${USER} \
 	&& useradd -u ${GUID} -r -g ${USER} -G audio,video ${USER} -d /home/${USER} \
 	&& chown -R ${GUID}:${GUID} /home/${USER} \
-	&& echo 'ff ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers \
-	&& echo 'Defaults !requiretty' >> /etc/sudoers \
-	&& echo root:wscef | chpasswd \
 	# Cleanup
 	&& apt autoremove -y \
 	&& apt clean
 
-# Run Firefox as non privileged user
-USER ff
+RUN apt -y install /src/GBPCEFwr64.deb || :
+
+COPY root.sh /usr/local/bin/
+COPY startup.sh /usr/local/bin/
+RUN chmod 700 /usr/local/bin/root.sh \
+    && chmod 755 /usr/local/bin/startup.sh
 
-# Add volume for recipes PDFs
+# Add volume for receipts PDFs
 VOLUME "/home/ff/Downloads"
 
 # Autorun Firefox
-ENTRYPOINT /home/ff/startup.sh
+ENTRYPOINT /usr/local/bin/root.sh
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,25 +1,30 @@
-version: '3'
+version: '3.7'
 services:
   wscef:
     container_name: wscef
     image: farribeiro/wscef-docker
     build: .
-    devices:
-      - /dev/snd:/dev/snd
+    init: true
+    cap_drop:
+      - ALL
+    cap_add:
+      - SETUID
+      - SETGID
+      - AUDIT_WRITE
+      - DAC_OVERRIDE
+    security_opt:
+      - no-new-privileges:true
     environment:
       - LANG=pt_BR.UTF-8
       - TZ=${TZ}
       - DISPLAY=${DISPLAY}
-      - XAUTHORITY=/home/ff/.Xauthority
-      - HOST_HOSTNAME=${HOSTNAME}
     deploy:
       resources:
         limits:
           cpus: '0.50'
           memory: 512M
     shm_size: 2g
     volumes:
-      - /dev/shm:/dev/shm
       - /tmp/.X11-unix:/tmp/.X11-unix
       - ${XAUTHORITY}:/tmp/.docker.xauth:ro
       - ${BANKFILES}:/home/ff/Downloads

diff --git a/root.sh b/root.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+/etc/init.d/warsaw start
+
+# Run Firefox as non privileged user
+setpriv --reuid=ff --regid=ff --init-groups --inh-caps=-all --reset-env env DISPLAY=$DISPLAY LANG=$LANG TZ=$TZ startup.sh
diff --git a/startup.sh b/startup.sh
@@ -1,28 +1,13 @@
 #!/bin/bash
 
-if [ -n "${XAUTHORITY}" ] && [ -n "${HOST_HOSTNAME}" ]
-then
-  if [ "${HOSTNAME}" != "${HOST_HOSTNAME}" ]
-  then
-    [ -f ${XAUTHORITY} ] || touch ${XAUTHORITY}
-    xauth add ${HOSTNAME}/unix${DISPLAY} . \
-    $(xauth -f /tmp/.docker.xauth list ${HOST_HOSTNAME}/unix${DISPLAY} | awk '{ print $NF }')
-  else
-    cp /tmp/.docker.xauth ${XAUTHORITY}
-  fi
-fi
+runx() {
+    XAUTHORITY=/tmp/auth "$@"
+}
 
-if [ ! -d ~/.mozilla ]
-then
-  # sudo dbus-uuidgen > /etc/machine-id \
-  firefox -no-remote -CreateProfile default \
-  && sudo apt update \
-  && sudo apt -y upgrade \
-  && sudo apt -y install /src/GBPCEFwr64.deb
-#else
-  # sudo /etc/init.d/warsaw start
-fi
-sudo /etc/init.d/warsaw start
+cp /tmp/.docker.xauth /tmp/auth
+runx xauth add ${HOSTNAME}/unix${DISPLAY} . $(runx xauth list | awk '$1 !~ /localhost/ {print $3; exit}')
+runx xauth generate $DISPLAY . untrusted timeout 0
 
 /usr/local/bin/warsaw/core \
-&& firefox -no-remote -private-window --class CaixaEconomica --name CaixaEconomica https://www.caixa.gov.br
+&& runx firefox -no-remote -CreateProfile default \
+&& runx firefox -no-remote -private-window --class CaixaEconomica --name CaixaEconomica https://www.caixa.gov.br