From edb1bfcdfe23d42cdaa94b40fb87361b1d9dac42 Mon Sep 17 00:00:00 2001 From: Logan Bussell Date: Wed, 8 Mar 2023 13:46:51 -0800 Subject: [PATCH] Use default shell for non-root user in non-distroless images (#4477) --- .../runtime-deps/Dockerfile.linux.distroless-user | 3 ++- .../runtime-deps/Dockerfile.linux.non-root-user | 7 ++++--- src/runtime-deps/8.0/alpine3.17/amd64/Dockerfile | 1 - src/runtime-deps/8.0/alpine3.17/arm32v7/Dockerfile | 1 - src/runtime-deps/8.0/alpine3.17/arm64v8/Dockerfile | 1 - src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile | 1 - src/runtime-deps/8.0/bookworm-slim/arm32v7/Dockerfile | 1 - src/runtime-deps/8.0/bookworm-slim/arm64v8/Dockerfile | 1 - src/runtime-deps/8.0/cbl-mariner2.0/amd64/Dockerfile | 1 - src/runtime-deps/8.0/cbl-mariner2.0/arm64v8/Dockerfile | 1 - src/runtime-deps/8.0/jammy/amd64/Dockerfile | 1 - src/runtime-deps/8.0/jammy/arm32v7/Dockerfile | 1 - src/runtime-deps/8.0/jammy/arm64v8/Dockerfile | 1 - 13 files changed, 6 insertions(+), 15 deletions(-) diff --git a/eng/dockerfile-templates/runtime-deps/Dockerfile.linux.distroless-user b/eng/dockerfile-templates/runtime-deps/Dockerfile.linux.distroless-user index 0fd74c5dcf..a9460b49a3 100644 --- a/eng/dockerfile-templates/runtime-deps/Dockerfile.linux.distroless-user +++ b/eng/dockerfile-templates/runtime-deps/Dockerfile.linux.distroless-user @@ -16,7 +16,8 @@ "name": ARGS["name"], "uid": ARGS["uid"], "gid": ARGS["gid"], - "no-create-home": ARGS["no-create-home"] + "no-create-home": ARGS["no-create-home"], + "no-shell": "true" ])}} \{{if !ARGS["no-create-home"]: && install -d -m 0755 -o {{ARGS["uid"]}} -g {{ARGS["gid"]}} "{{ARGS["staging-dir"]}}/home/{{ARGS["name"]}}" \}}{{ if ARGS["exclusive"]:{{if ARGS["create-dir"]: diff --git a/eng/dockerfile-templates/runtime-deps/Dockerfile.linux.non-root-user b/eng/dockerfile-templates/runtime-deps/Dockerfile.linux.non-root-user index 2dcc1abf2b..d78ec083a9 100644 --- a/eng/dockerfile-templates/runtime-deps/Dockerfile.linux.non-root-user +++ b/eng/dockerfile-templates/runtime-deps/Dockerfile.linux.non-root-user @@ -4,7 +4,8 @@ name: Name of the user/group to create uid: ID of the user to be created gid: ID of the group to be created - no-create-home (optional): Indicates whether a home directory should be created for the user ^ + no-create-home (optional): Indicates whether a home directory should be created for the user + no-shell (optional): Indicates whether the shell should be set to /bin/false ^ set dotnetVersion to join(slice(split(PRODUCT_VERSION, "."), 0, 2), ".") ^ set isAlpine to find(OS_VERSION, "alpine") >= 0 ^ set isDebian to find(OS_ARCH_HYPHENATED, "Debian") >= 0 ^ @@ -21,8 +22,8 @@ {{ARGS["name"]}} \ && {{if isDebian:useradd^else:adduser}} \ --uid {{ARGS["uid"]}} \ - {{if isAlpine:--ingroup={{ARGS["name"]}}^else:--gid {{ARGS["gid"]}}}} \ - --shell /bin/false \{{if ARGS["no-create-home"]: + {{if isAlpine:--ingroup={{ARGS["name"]}}^else:--gid {{ARGS["gid"]}}}} \{{if ARGS["no-shell"]: + --shell /bin/false \}}{{if ARGS["no-create-home"]: --no-create-home \^elif dotnetVersion != "6.0" && dotnetVersion != "7.0" && (isMariner || isDebian): --create-home \}} --system \ diff --git a/src/runtime-deps/8.0/alpine3.17/amd64/Dockerfile b/src/runtime-deps/8.0/alpine3.17/amd64/Dockerfile index 050193985f..b5a237f06b 100644 --- a/src/runtime-deps/8.0/alpine3.17/amd64/Dockerfile +++ b/src/runtime-deps/8.0/alpine3.17/amd64/Dockerfile @@ -19,7 +19,6 @@ RUN addgroup \ && adduser \ --uid 101 \ --ingroup=app \ - --shell /bin/false \ --system \ app diff --git a/src/runtime-deps/8.0/alpine3.17/arm32v7/Dockerfile b/src/runtime-deps/8.0/alpine3.17/arm32v7/Dockerfile index b3e742d8a6..07ebe9f863 100644 --- a/src/runtime-deps/8.0/alpine3.17/arm32v7/Dockerfile +++ b/src/runtime-deps/8.0/alpine3.17/arm32v7/Dockerfile @@ -19,7 +19,6 @@ RUN addgroup \ && adduser \ --uid 101 \ --ingroup=app \ - --shell /bin/false \ --system \ app diff --git a/src/runtime-deps/8.0/alpine3.17/arm64v8/Dockerfile b/src/runtime-deps/8.0/alpine3.17/arm64v8/Dockerfile index 80a909f5c2..6291b94c2a 100644 --- a/src/runtime-deps/8.0/alpine3.17/arm64v8/Dockerfile +++ b/src/runtime-deps/8.0/alpine3.17/arm64v8/Dockerfile @@ -19,7 +19,6 @@ RUN addgroup \ && adduser \ --uid 101 \ --ingroup=app \ - --shell /bin/false \ --system \ app diff --git a/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile b/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile index 9275d4739c..037d64a728 100644 --- a/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile +++ b/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile @@ -22,7 +22,6 @@ RUN groupadd \ && useradd \ --uid 101 \ --gid 101 \ - --shell /bin/false \ --create-home \ --system \ app diff --git a/src/runtime-deps/8.0/bookworm-slim/arm32v7/Dockerfile b/src/runtime-deps/8.0/bookworm-slim/arm32v7/Dockerfile index 94c8a4ef79..0091ac3090 100644 --- a/src/runtime-deps/8.0/bookworm-slim/arm32v7/Dockerfile +++ b/src/runtime-deps/8.0/bookworm-slim/arm32v7/Dockerfile @@ -22,7 +22,6 @@ RUN groupadd \ && useradd \ --uid 101 \ --gid 101 \ - --shell /bin/false \ --create-home \ --system \ app diff --git a/src/runtime-deps/8.0/bookworm-slim/arm64v8/Dockerfile b/src/runtime-deps/8.0/bookworm-slim/arm64v8/Dockerfile index 849d7391ed..9ab420b447 100644 --- a/src/runtime-deps/8.0/bookworm-slim/arm64v8/Dockerfile +++ b/src/runtime-deps/8.0/bookworm-slim/arm64v8/Dockerfile @@ -22,7 +22,6 @@ RUN groupadd \ && useradd \ --uid 101 \ --gid 101 \ - --shell /bin/false \ --create-home \ --system \ app diff --git a/src/runtime-deps/8.0/cbl-mariner2.0/amd64/Dockerfile b/src/runtime-deps/8.0/cbl-mariner2.0/amd64/Dockerfile index c6b97f52fa..cb74918590 100644 --- a/src/runtime-deps/8.0/cbl-mariner2.0/amd64/Dockerfile +++ b/src/runtime-deps/8.0/cbl-mariner2.0/amd64/Dockerfile @@ -23,7 +23,6 @@ RUN tdnf install -y \ && adduser \ --uid 101 \ --gid 101 \ - --shell /bin/false \ --create-home \ --system \ app \ diff --git a/src/runtime-deps/8.0/cbl-mariner2.0/arm64v8/Dockerfile b/src/runtime-deps/8.0/cbl-mariner2.0/arm64v8/Dockerfile index c6b97f52fa..cb74918590 100644 --- a/src/runtime-deps/8.0/cbl-mariner2.0/arm64v8/Dockerfile +++ b/src/runtime-deps/8.0/cbl-mariner2.0/arm64v8/Dockerfile @@ -23,7 +23,6 @@ RUN tdnf install -y \ && adduser \ --uid 101 \ --gid 101 \ - --shell /bin/false \ --create-home \ --system \ app \ diff --git a/src/runtime-deps/8.0/jammy/amd64/Dockerfile b/src/runtime-deps/8.0/jammy/amd64/Dockerfile index b25b847fef..28012bf426 100644 --- a/src/runtime-deps/8.0/jammy/amd64/Dockerfile +++ b/src/runtime-deps/8.0/jammy/amd64/Dockerfile @@ -22,7 +22,6 @@ RUN groupadd \ && adduser \ --uid 101 \ --gid 101 \ - --shell /bin/false \ --system \ app diff --git a/src/runtime-deps/8.0/jammy/arm32v7/Dockerfile b/src/runtime-deps/8.0/jammy/arm32v7/Dockerfile index b25b847fef..28012bf426 100644 --- a/src/runtime-deps/8.0/jammy/arm32v7/Dockerfile +++ b/src/runtime-deps/8.0/jammy/arm32v7/Dockerfile @@ -22,7 +22,6 @@ RUN groupadd \ && adduser \ --uid 101 \ --gid 101 \ - --shell /bin/false \ --system \ app diff --git a/src/runtime-deps/8.0/jammy/arm64v8/Dockerfile b/src/runtime-deps/8.0/jammy/arm64v8/Dockerfile index b25b847fef..28012bf426 100644 --- a/src/runtime-deps/8.0/jammy/arm64v8/Dockerfile +++ b/src/runtime-deps/8.0/jammy/arm64v8/Dockerfile @@ -22,7 +22,6 @@ RUN groupadd \ && adduser \ --uid 101 \ --gid 101 \ - --shell /bin/false \ --system \ app