diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..0df4777 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,2 @@ +/var/cache/apt/* +/var/lib/apt/lists/* diff --git a/.env.dist b/.env.dist new file mode 100644 index 0000000..448bfba --- /dev/null +++ b/.env.dist @@ -0,0 +1,3 @@ +HOSTNAME=Enterprise +XAUTHORITY=~/.Xauthority +BANKFILES=~/Investimentos diff --git a/Dockerfile b/Dockerfile index 4fa2f13..c2999f6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,8 @@ # Run Warsaw in a container - # Base docker image -FROM ubuntu:latest -LABEL maintainer "Fabio Rodrigues Ribeiro " +FROM debian:buster-slim -COPY startup.sh /home/ff/ - -# Install Firefox +LABEL maintainer "Fabio Rodrigues Ribeiro " ADD \ # https://s3-sa-east-1.amazonaws.com/shared-www.validcertificadora.com.br/libjbig0_2.0-2_amd64.deb \ @@ -20,29 +16,6 @@ ADD \ http://www.digitalsigncertificadora.com.br/repositorio/downloads/SafeSignIC3.0.116-x86_64-ub14-tc-admin.deb \ /src/ -RUN apt-get update \ - && apt-get upgrade -y \ - && apt-get install -y \ - language-pack-pt \ - openssl \ - libnss3-tools \ - firefox \ - firefox-locale-pt \ - xauth \ - opensc \ - libopensc-openssl \ - pcscd \ - pcsc-tools \ - --no-install-recommends \ - && apt -y install /src/*.deb \ - && groupadd -g 1000 -r ff \ - && useradd -u 1000 -r -g ff -G audio,video ff -d /home/ff \ - && chmod 744 /home/ff/startup.sh \ - && chown -R ff:ff /home/ff \ - && passwd -d root \ - && apt-get purge --auto-remove -y \ - && rm -rf /var/lib/apt/lists/* \ - && rm -rf /src/*.deb ADD https://cloud.gastecnologia.com.br/cef/warsaw/install/GBPCEFwr64.deb /src/ @@ -50,7 +23,59 @@ ADD https://cloud.gastecnologia.com.br/cef/warsaw/install/GBPCEFwr64.deb /src/ USER ff # Add volume for recipes PDFs +ENV USER=ff + +ENV GUID=1000 + +ENV LANG="pt_BR.UTF-8 UTF-8" + +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + locales \ + tzdata \ + ca-certificates \ + firefox-esr \ + firefox-esr-l10n-pt-br \ + libnss3-tools \ + openssl \ + procps \ + python-gpg \ + python-openssl \ + python3 \ + xauth \ + zenity \ + opensc \ + libopensc-openssl \ + pcscd \ + pcsc-tools + +# Setup locale +RUN echo ${LANG} > /etc/locale.gen \ + && locale-gen + +# Downloading warsaw +RUN mkdir -p /src + +# Configuring the environment +RUN mkdir -p /home/${USER} \ + && groupadd -g ${GUID} -r ${USER} \ + && useradd -u ${GUID} -r -g ${USER} -G audio,video ${USER} -d /home/${USER} \ + && chown -R ${GUID}:${GUID} /home/${USER} \ + # Cleanup + && apt autoremove -y \ + && apt clean + +RUN apt -y install /src/GBPCEFwr64.deb || : + +COPY root.sh /usr/local/bin/ + +COPY startup.sh /usr/local/bin/ + +RUN chmod 700 /usr/local/bin/root.sh \ + && chmod 755 /usr/local/bin/startup.sh + +# Add volume for receipts PDFs VOLUME "/home/ff/Downloads" -# Autorun chrome -CMD [ "/home/ff/startup.sh" ] +# Autorun Firefox +ENTRYPOINT /usr/local/bin/root.sh diff --git a/README.md b/README.md index 9a27817..c3b8a55 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,16 @@ # wscef-docker -Warsaw in docker container +[![Join the chat at https://gitter.im/farribeiro/wscef-docker](https://badges.gitter.im/farribeiro/wscef-docker.svg)](https://gitter.im/farribeiro/wscef-docker?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) + +Warsaw in docker container. Warsaw is a security module, a.k.a Guardião, for brazilian +internet banking. This project is compatible of Banco do Brasil, Caixa Econômica +Federal and Sicredi. + +## Pre-requisites + +- Docker and Docker-Compose of your distro. +- Set BANKFILES variable (as `export BANKFILES=/home/ff/Downloads/Bankfiles`) to prevent volume creation error +- For transparency, privacy and security NEVER USE ANY PRE-BUILT DOCKER IMAGE FROM THIS PROJECT. Obtain a copy of the source code of this repository, check the content and build your own image. ## Instructions @@ -9,14 +19,23 @@ since environments and volumes are set on `docker-compose.yml`. **To build:** `docker-compose build wscef` -**To pulling existing image:** `docker-compose pull` - **To first run:** `docker-compose run --name wscef wscef` -**To other runs:** `docker start -a wscef` +**To other runs:** `docker start -i -a wscef` + +**To purge everthing:** `docker-compose down --rmi all`, thanks[1] + +**To force replace the container:** `docker-compose up --force-recreate`, thanks[1] + +**PS:** Reports that the warsaw daemon for CEF works for: +- BB site: https://github.com/farribeiro/wscef-docker/issues/9#issuecomment-308244119 +- Sicredi ( https://github.com/farribeiro/wscef-docker/pull/72#issuecomment-573244722) + +~~**PS:** you must run Docker using a GNU/Linux distro running xorg. +Be aware some installations may run another display server, such as Wayland.~~ + +The latest firefox release support wayland, not tested with xauth -**PS:** Reports that the warsaw daemon for CEF works for the BB site: -https://github.com/farribeiro/wscef-docker/issues/9#issuecomment-308244119 +**PS:** The root password is **wscef** by https://github.com/farribeiro/wscef-docker/issues/29 -**PS:** you must run Docker using a GNU/Linux distro running xorg. -Be aware some installations may run another display server, such as Wayland. +[1] https://github.com/jsalatiel/wsbb-docker/commit/72e42bb5f04fbe8eb1f7f3e6226975aba137dcb5#diff-3254677a7917c6c01f55212f86c57fbf diff --git a/docker-compose.yml b/docker-compose.yml index 1be8947..291add4 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,18 +1,31 @@ -version: '2' +version: '3.7' services: wscef: + container_name: wscef image: farribeiro/wscef-docker build: . - devices: - - /dev/snd:/dev/snd + init: true + cap_drop: + - ALL + cap_add: + - SETUID + - SETGID + - AUDIT_WRITE + - DAC_OVERRIDE + security_opt: + - no-new-privileges:true environment: + - LANG=pt_BR.UTF-8 + - TZ=${TZ} - DISPLAY=${DISPLAY} - - XAUTHORITY=/home/ff/.Xauthority - - HOST_HOSTNAME=${HOSTNAME} - cpuset: '0' - mem_limit: 512M + deploy: + resources: + limits: + cpus: '0.50' + memory: 512M + shm_size: 2g volumes: - - /dev/shm:/dev/shm - /tmp/.X11-unix:/tmp/.X11-unix - ${XAUTHORITY}:/tmp/.docker.xauth:ro - - ~/BankFiles:/home/ff/Downloads + - ${BANKFILES}:/home/ff/Downloads + - /etc/machine-id:/etc/machine-id:ro diff --git a/root.sh b/root.sh new file mode 100644 index 0000000..edd1807 --- /dev/null +++ b/root.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +/etc/init.d/warsaw start + +# Run Firefox as non privileged user +setpriv --reuid=ff --regid=ff --init-groups --inh-caps=-all --reset-env env DISPLAY=$DISPLAY LANG=$LANG TZ=$TZ startup.sh diff --git a/startup.sh b/startup.sh index d8838b8..7efa274 100644 --- a/startup.sh +++ b/startup.sh @@ -1,27 +1,14 @@ #!/bin/bash -export LANG="pt_BR.UTF-8" +runx() { + XAUTHORITY=/tmp/auth "$@" +} -if [ -n "${XAUTHORITY}" ] && [ -n "${HOST_HOSTNAME}" ] -then - if [ "${HOSTNAME}" != "${HOST_HOSTNAME}" ] - then - [ -f ${XAUTHORITY} ] || touch ${XAUTHORITY} - xauth add ${HOSTNAME}/unix${DISPLAY} . \ - $(xauth -f /tmp/.docker.xauth list ${HOST_HOSTNAME}/unix${DISPLAY} | awk '{ print $NF }') - else - cp /tmp/.docker.xauth ${XAUTHORITY} - fi -fi - -if [ ! -d ~/.mozilla ] -then - firefox -CreateProfile default \ - && su -c "apt update && apt -y upgrade && apt -y install /src/GBPCEFwr64.deb" -else - su -c "/etc/init.d/warsaw start" -fi +cp /tmp/.docker.xauth /tmp/auth +runx xauth add ${HOSTNAME}/unix${DISPLAY} . $(runx xauth list | awk '$1 !~ /localhost/ {print $3; exit}') +runx xauth generate $DISPLAY . untrusted timeout 0 su -c "/etc/init.d/pcscd start" /usr/local/bin/warsaw/core \ -&& firefox -private-window www.caixa.gov.br +&& runx firefox -no-remote -CreateProfile default \ +&& runx firefox -no-remote -private-window --class CaixaEconomica --name CaixaEconomica https://www.caixa.gov.br