search

Alfresco / alfresco-sdk

The Alfresco In-Process SDK is based on Apache Maven, includes support for rapid and standard development, testing, packaging, versioning and release of your Alfresco integration and extension projects
Apache License 2.0
185 stars 113 forks source link

Dockerfile USER ${USERNAME} is wrong #612

Closed swagner closed 2 years ago

swagner commented 3 years ago

Build arguments are not persisted in images, so they will not be available in builds FROM a parent image.

(besides the fact that in the alfresco dockerfile its called IMAGEUSERNAME)

asauvez commented 3 years ago

Indeed, the argument name is IMAGEUSERNAME in the parent Dockerfile : https://github.com/Alfresco/acs-packaging/blob/6.2.0.7/docker-alfresco/Dockerfile but the argument is not inherited. So the current "USER ${USERNAME}" do nothing and Alfresco run as root.

I propose the following fix : https://github.com/asauvez/alfresco-sdk/commit/53c08a62081db1b9e403b49b1561bdd98c809192

As soon as Alfresco stops running as root, it is not able to write alfresco.log in /usr/local/tomcat/. Since we are in a development environment, I do not see the point of storing logs. They are not visible for the host and we mostly use the console logs with "./run.sh tail". So I remove the logs to alfresco.log in dev-log4j.properties. This only affect the development environment.

binduwavell commented 3 years ago

I would just like to add that we also ran into this issue and we use the SDK to create production ready containers, so this oops is a security concern (at least for us.)

andrea-ligios commented 2 years ago

This has been fixed in SDK 4.3, which will be out in the next few days.

7.x will switch back to the unprivileged user alfresco, while 6.x (that didn't have this separation in the base image yet) will keep running as root.

In either case, the log file destination has been fixed too.