From 0b21aac83199c23b6976301a6ab32123b5adb44e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Werlang?= Date: Thu, 9 Jul 2020 01:35:44 -0300 Subject: [PATCH] Improve general security - Prefer setpriv over sudo - Setup init process - Remove unneeded capabilities & privileges - Pass untrusted X11 cookie directly to firefox --- Dockerfile | 19 ++++++++----------- docker-compose.yml | 17 +++++++++++------ root.sh | 6 ++++++ startup.sh | 31 ++++++++----------------------- 4 files changed, 33 insertions(+), 40 deletions(-) create mode 100644 root.sh diff --git a/Dockerfile b/Dockerfile index 88ad1fc..590b9df 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,8 +11,6 @@ ENV GUID=1000 ENV LANG="pt_BR.UTF-8 UTF-8" -COPY startup.sh /home/ff/ - RUN apt-get update && \ apt-get install -y --no-install-recommends \ locales \ @@ -26,7 +24,6 @@ RUN apt-get update && \ python-gpg \ python-openssl \ python3 \ - sudo \ xauth \ zenity # Setup locale @@ -37,22 +34,22 @@ RUN mkdir -p /src ADD https://cloud.gastecnologia.com.br/gas/diagnostico/warsaw_setup_64.deb /src/GBPCEFwr64.deb # Configuring the environment RUN mkdir -p /home/${USER} \ - && chmod 744 /home/ff/startup.sh \ && groupadd -g ${GUID} -r ${USER} \ && useradd -u ${GUID} -r -g ${USER} -G audio,video ${USER} -d /home/${USER} \ && chown -R ${GUID}:${GUID} /home/${USER} \ - && echo 'ff ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers \ - && echo 'Defaults !requiretty' >> /etc/sudoers \ - && echo root:wscef | chpasswd \ # Cleanup && apt autoremove -y \ && apt clean -# Run Firefox as non privileged user -USER ff +RUN apt -y install /src/GBPCEFwr64.deb || : + +COPY root.sh /usr/local/bin/ +COPY startup.sh /usr/local/bin/ +RUN chmod 700 /usr/local/bin/root.sh \ + && chmod 755 /usr/local/bin/startup.sh -# Add volume for recipes PDFs +# Add volume for receipts PDFs VOLUME "/home/ff/Downloads" # Autorun Firefox -ENTRYPOINT /home/ff/startup.sh +ENTRYPOINT /usr/local/bin/root.sh diff --git a/docker-compose.yml b/docker-compose.yml index 615a8a9..291add4 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,17 +1,23 @@ -version: '3' +version: '3.7' services: wscef: container_name: wscef image: farribeiro/wscef-docker build: . - devices: - - /dev/snd:/dev/snd + init: true + cap_drop: + - ALL + cap_add: + - SETUID + - SETGID + - AUDIT_WRITE + - DAC_OVERRIDE + security_opt: + - no-new-privileges:true environment: - LANG=pt_BR.UTF-8 - TZ=${TZ} - DISPLAY=${DISPLAY} - - XAUTHORITY=/home/ff/.Xauthority - - HOST_HOSTNAME=${HOSTNAME} deploy: resources: limits: @@ -19,7 +25,6 @@ services: memory: 512M shm_size: 2g volumes: - - /dev/shm:/dev/shm - /tmp/.X11-unix:/tmp/.X11-unix - ${XAUTHORITY}:/tmp/.docker.xauth:ro - ${BANKFILES}:/home/ff/Downloads diff --git a/root.sh b/root.sh new file mode 100644 index 0000000..edd1807 --- /dev/null +++ b/root.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +/etc/init.d/warsaw start + +# Run Firefox as non privileged user +setpriv --reuid=ff --regid=ff --init-groups --inh-caps=-all --reset-env env DISPLAY=$DISPLAY LANG=$LANG TZ=$TZ startup.sh diff --git a/startup.sh b/startup.sh index d8cfbf6..e94a0a4 100644 --- a/startup.sh +++ b/startup.sh @@ -1,28 +1,13 @@ #!/bin/bash -if [ -n "${XAUTHORITY}" ] && [ -n "${HOST_HOSTNAME}" ] -then - if [ "${HOSTNAME}" != "${HOST_HOSTNAME}" ] - then - [ -f ${XAUTHORITY} ] || touch ${XAUTHORITY} - xauth add ${HOSTNAME}/unix${DISPLAY} . \ - $(xauth -f /tmp/.docker.xauth list ${HOST_HOSTNAME}/unix${DISPLAY} | awk '{ print $NF }') - else - cp /tmp/.docker.xauth ${XAUTHORITY} - fi -fi +runx() { + XAUTHORITY=/tmp/auth "$@" +} -if [ ! -d ~/.mozilla ] -then - # sudo dbus-uuidgen > /etc/machine-id \ - firefox -no-remote -CreateProfile default \ - && sudo apt update \ - && sudo apt -y upgrade \ - && sudo apt -y install /src/GBPCEFwr64.deb -#else - # sudo /etc/init.d/warsaw start -fi -sudo /etc/init.d/warsaw start +cp /tmp/.docker.xauth /tmp/auth +runx xauth add ${HOSTNAME}/unix${DISPLAY} . $(runx xauth list | awk '$1 !~ /localhost/ {print $3; exit}') +runx xauth generate $DISPLAY . untrusted timeout 0 /usr/local/bin/warsaw/core \ -&& firefox -no-remote -private-window --class CaixaEconomica --name CaixaEconomica https://www.caixa.gov.br +&& runx firefox -no-remote -CreateProfile default \ +&& runx firefox -no-remote -private-window --class CaixaEconomica --name CaixaEconomica https://www.caixa.gov.br