search

ONLYOFFICE / Docker-DocumentServer

ONLYOFFICE Document Server is an online office suite comprising viewers and editors for texts, spreadsheets and presentations, fully compatible with Office Open XML formats: .docx, .xlsx, .pptx and enabling collaborative editing in real time.
GNU Affero General Public License v3.0
1.44k stars 495 forks source link

Feature: execute run-document-server.sh as nonroot #172

Open MnrGreg opened 5 years ago

MnrGreg commented 5 years ago

Feature request:

The 'ENTRYPOINT run-document-server.sh' currently runs as root. Good container platform practices prevent the execution of container running as root. Most enterprise Kubernetes distributions enforce this through Pod Security Policies.

Adding 'USER ds' prior to the 'ENTRYPOINT' forces the script to run as the ds user, however, many subsequent steps fail.

The ask is for this container permission structure be updated to run as nonroot.

ShockwaveNN commented 5 years ago

@MnrGreg Thanks for your proposal, we'll think about it

durandx commented 4 years ago

Hello,

Do you have any update about this enhancement ? Thanks.

SuperSandro2000 commented 4 years ago

Then the default port probably couldn't be 80. Source https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/run-document-server.sh#L16

edvinkuric commented 4 years ago

Then the default port probably couldn't be 80. Source https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/run-document-server.sh#L16

Yes that's true - I would also love to run this setup as non-root

Thank you very much :)

igwyd commented 5 months ago

Ticket #66316

gowy222 commented 2 months ago

+1

--> RUN useradd -m -u 1000 user
CACHED

--> Restoring cache
DONE 23.0s

--> RUN chown -R user:user / &&     chmod -R u+rwx /

mkdir: cannot create directory ‘/usr/share/ca-certificates/ds’: Permission denied
mkdir: cannot create directory ‘/var/log/onlyoffice/documentserver’: Permission denied
mkdir: cannot create directory ‘/var/log/onlyoffice/documentserver’: Permission denied
mkdir: cannot create directory ‘/var/log/onlyoffice/documentserver’: Permission denied
mkdir: cannot create directory ‘/var/log/onlyoffice/documentserver-example’: Permission denied
chown: cannot access '/var/log/onlyoffice/documentserver': No such file or directory
chmod: cannot access '/var/log/onlyoffice/documentserver': No such file or directory
chown: cannot access '/var/log/onlyoffice/documentserver-example': No such file or directory
chmod: cannot access '/var/log/onlyoffice/documentserver-example': No such file or directory
chown: changing ownership of '/var/lib/onlyoffice/documentserver/App_Data/cache/files': Operation not permitted
chown: changing ownership of '/var/lib/onlyoffice/documentserver/App_Data/cache': Operation not permitted
chown: changing ownership of '/var/lib/onlyoffice/documentserver/App_Data/docbuilder': Operation not permitted
chown: changing ownership of '/var/lib/onlyoffice/documentserver/App_Data': Operation not permitted
chown: changing ownership of '/var/lib/onlyoffice/documentserver': Operation not permitted
chown: changing ownership of '/var/lib/onlyoffice/documentserver-example/files': Operation not permitted
chown: changing ownership of '/var/lib/onlyoffice/documentserver-example': Operation not permitted
chown: changing ownership of '/var/lib/onlyoffice': Operation not permitted
chmod: changing permissions of '/var/lib/onlyoffice': Operation not permitted
chmod: changing permissions of '/var/lib/onlyoffice/documentserver': Operation not permitted
chmod: changing permissions of '/var/lib/onlyoffice/documentserver/App_Data': Operation not permitted
chmod: changing permissions of '/var/lib/onlyoffice/documentserver/App_Data/cache': Operation not permitted
chmod: changing permissions of '/var/lib/onlyoffice/documentserver/App_Data/cache/files': Operation not permitted
chmod: changing permissions of '/var/lib/onlyoffice/documentserver/App_Data/docbuilder': Operation not permitted
chmod: changing permissions of '/var/lib/onlyoffice/documentserver-example': Operation not permitted
chmod: changing permissions of '/var/lib/onlyoffice/documentserver-example/files': Operation not permitted
sed: couldn't open temporary file /var/www/onlyoffice/documentserver-example/welcome/sedhCm8hB: Permission denied

..

chown: changing ownership of '/dev/urandom': Operation not permitted
chown: changing ownership of '/dev/zero': Operation not permitted
chown: changing ownership of '/dev/tty': Operation not permitted
chown: changing ownership of '/dev/full': Operation not permitted
chown: changing ownership of '/dev/random': Operation not permitted
chown: changing ownership of '/dev/null': Operation not permitted
chown: changing ownership of '/dev/otel-grpc.sock': Read-only file system
chown: changing ownership of '/etc/hosts': Read-only file system
chown: changing ownership of '/etc/resolv.conf': Read-only file system
chown: changing ownership of '/proc/fs/xfs/xqm': Read-only file system
chown: changing ownership of '/proc/fs/xfs/stat': Read-only file system
chown: changing ownership of '/proc/fs/xfs/xqmstat': Read-only file system
chown: changing ownership of '/proc/fs/xfs': Read-only file system
chown: changing ownership of '/proc/fs/nfsd': Read-only file system
chown: changing ownership of '/proc/fs': Read-only file system
chown: changing ownership of '/proc/bus/pci/00/00.0': Read-only file system
chown: changing ownership of '/proc/bus/pci/00/01.0': Read-only file system
chown: changing ownership of '/proc/bus/pci/00/01.3': Read-only file system
chown: changing ownership of '/proc/bus/pci/00/03.0': Read-only file system
chown: changing ownership of '/proc/bus/pci/00/04.0': Read-only file system
chown: changing ownership of '/proc/bus/pci/00/05.0': Read-only file system
chown: changing ownership of '/proc/bus/pci/00/1f.0': Read-only file system
chown: changing ownership of '/proc/bus/pci/00': Read-only file system
chown: changing ownership of '/proc/bus/pci/devices': Read-only file system
chown: changing ownership of '/proc/bus/pci': Read-only file system
chown: changing ownership of '/proc/bus/input/devices': Read-only file system
chown: changing ownership of '/proc/bus/input/handlers': Read-only file system
chown: changing ownership of '/proc/bus/input': Read-only file system
chown: changing ownership of '/proc/bus': Read-only file system
chown: changing ownership of '/proc/dma': Operation not permitted
chown: changing ownership of '/proc/irq/0/node': Read-only file system
chown: changing ownership of '/proc/irq/0/spurious': Read-only file system
chown: changing ownership of '/proc/irq/0/smp_affinity': Read-only file system
chown: changing ownership of '/proc/irq/0/affinity_hint': Read-only file system
chown: changing ownership of '/proc/irq/0/smp_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/0/effective_affinity': Read-only file system
chown: changing ownership of '/proc/irq/0/effective_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/0': Read-only file system
chown: changing ownership of '/proc/irq/1/node': Read-only file system
chown: changing ownership of '/proc/irq/1/i8042': Read-only file system
chown: changing ownership of '/proc/irq/1/spurious': Read-only file system
chown: changing ownership of '/proc/irq/1/smp_affinity': Read-only file system
chown: changing ownership of '/proc/irq/1/affinity_hint': Read-only file system
chown: changing ownership of '/proc/irq/1/smp_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/1/effective_affinity': Read-only file system
chown: changing ownership of '/proc/irq/1/effective_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/1': Read-only file system
chown: changing ownership of '/proc/irq/2/node': Read-only file system
chown: changing ownership of '/proc/irq/2/spurious': Read-only file system
chown: changing ownership of '/proc/irq/2/smp_affinity': Read-only file system
chown: changing ownership of '/proc/irq/2/affinity_hint': Read-only file system
chown: changing ownership of '/proc/irq/2/smp_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/2/effective_affinity': Read-only file system
chown: changing ownership of '/proc/irq/2/effective_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/2': Read-only file system
chown: changing ownership of '/proc/irq/3/node': Read-only file system
chown: changing ownership of '/proc/irq/3/spurious': Read-only file system
chown: changing ownership of '/proc/irq/3/smp_affinity': Read-only file system
chown: changing ownership of '/proc/irq/3/affinity_hint': Read-only file system
chown: changing ownership of '/proc/irq/3/smp_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/3/effective_affinity': Read-only file system
chown: changing ownership of '/proc/irq/3/effective_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/3': Read-only file system
chown: changing ownership of '/proc/irq/4/node': Read-only file system
chown: changing ownership of '/proc/irq/4/ttyS0': Read-only file system
chown: changing ownership of '/proc/irq/4/spurious': Read-only file system
chown: changing ownership of '/proc/irq/4/smp_affinity': Read-only file system
chown: changing ownership of '/proc/irq/4/affinity_hint': Read-only file system
chown: changing ownership of '/proc/irq/4/smp_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/4/effective_affinity': Read-only file system
chown: changing ownership of '/proc/irq/4/effective_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/4': Read-only file system
chown: changing ownership of '/proc/irq/5/node': Read-only file system
chown: changing ownership of '/proc/irq/5/spurious': Read-only file system
chown: changing ownership of '/proc/irq/5/smp_affinity': Read-only file system
chown: changing ownership of '/proc/irq/5/affinity_hint': Read-only file system
chown: changing ownership of '/proc/irq/5/smp_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/5/effective_affinity': Read-only file system
chown: changing ownership of '/proc/irq/5/effective_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/5': Read-only file system
chown: changing ownership of '/proc/irq/6/node': Read-only file system
chown: changing ownership of '/proc/irq/6/spurious': Read-only file system
chown: changing ownership of '/proc/irq/6/smp_affinity': Read-only file system
chown: changing ownership of '/proc/irq/6/affinity_hint': Read-only file system
chown: changing ownership of '/proc/irq/6/smp_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/6/effective_affinity': Read-only file system
chown: changing ownership of '/proc/irq/6/effective_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/6': Read-only file system
chown: changing ownership of '/proc/irq/7/node': Read-only file system
chown: changing ownership of '/proc/irq/7/spurious': Read-only file system
chown: changing ownership of '/proc/irq/7/smp_affinity': Read-only file system
chown: changing ownership of '/proc/irq/7/affinity_hint': Read-only file system
chown: changing ownership of '/proc/irq/7/smp_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/7/effective_affinity': Read-only file system
chown: changing ownership of '/proc/irq/7/effective_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/7': Read-only file system
chown: changing ownership of '/proc/irq/8/node': Read-only file system
chown: changing ownership of '/proc/irq/8/rtc0': Read-only file system
chown: changing ownership of '/proc/irq/8/spurious': Read-only file system
chown: changing ownership of '/proc/irq/8/smp_affinity': Read-only file system
chown: changing ownership of '/proc/irq/8/affinity_hint': Read-only file system
chown: changing ownership of '/proc/irq/8/smp_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/8/effective_affinity': Read-only file system
chown: changing ownership of '/proc/irq/8/effective_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/8': Read-only file system
chown: changing ownership of '/proc/irq/9/acpi': Read-only file system
chown: changing ownership of '/proc/irq/9/node': Read-only file system
chown: changing ownership of '/proc/irq/9/spurious': Read-only file system
chown: changing ownership of '/proc/irq/9/smp_affinity': Read-only file system
chown: changing ownership of '/proc/irq/9/affinity_hint': Read-only file system
chown: changing ownership of '/proc/irq/9/smp_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/9/effective_affinity': Read-only file system
chown: changing ownership of '/proc/irq/9/effective_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/9': Read-only file system
chown: changing ownership of '/proc/irq/10/node': Read-only file system
chown: changing ownership of '/proc/irq/10/spurious': Read-only file system
chown: changing ownership of '/proc/irq/10/smp_affinity': Read-only file system
chown: changing ownership of '/proc/irq/10/affinity_hint': Read-only file system
chown: changing ownership of '/proc/irq/10/smp_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/10/effective_affinity': Read-only file system
chown: changing ownership of '/proc/irq/10/effective_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/10': Read-only file system
chown: changing ownership of '/proc/irq/11/node': Read-only file system
chown: changing ownership of '/proc/irq/11/spurious': Read-only file system
chown: changing ownership of '/proc/irq/11/smp_affinity': Read-only file system
chown: changing ownership of '/proc/irq/11/affinity_hint': Read-only file system
chown: changing ownership of '/proc/irq/11/smp_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/11/effective_affinity': Read-only file system
chown: changing ownership of '/proc/irq/11/effective_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/11': Read-only file system
chown: changing ownership of '/proc/irq/12/node': Read-only file system
chown: changing ownership of '/proc/irq/12/i8042': Read-only file system
chown: changing ownership of '/proc/irq/12/spurious': Read-only file system
chown: changing ownership of '/proc/irq/12/smp_affinity': Read-only file system
chown: changing ownership of '/proc/irq/12/affinity_hint': Read-only file system
chown: changing ownership of '/proc/irq/12/smp_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/12/effective_affinity': Read-only file system
chown: changing ownership of '/proc/irq/12/effective_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/12': Read-only file system
chown: changing ownership of '/proc/irq/13/node': Read-only file system
chown: changing ownership of '/proc/irq/13/spurious': Read-only file system
chown: changing ownership of '/proc/irq/13/smp_affinity': Read-only file system
chown: changing ownership of '/proc/irq/13/affinity_hint': Read-only file system
chown: changing ownership of '/proc/irq/13/smp_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/13/effective_affinity': Read-only file system
chown: changing ownership of '/proc/irq/13/effective_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/13': Read-only file system
chown: changing ownership of '/proc/irq/14/node': Read-only file system
chown: changing ownership of '/proc/irq/14/spurious': Read-only file system
chown: changing ownership of '/proc/irq/14/smp_affinity': Read-only file system
chown: changing ownership of '/proc/irq/14/affinity_hint': Read-only file system
chown: changing ownership of '/proc/irq/14/smp_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/14/effective_affinity': Read-only file system
chown: changing ownership of '/proc/irq/14/effective_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/14': Read-only file system
chown: changing ownership of '/proc/irq/15/node': Read-only file system
chown: changing ownership of '/proc/irq/15/spurious': Read-only file system
chown: changing ownership of '/proc/irq/15/smp_affinity': Read-only file system
chown: changing ownership of '/proc/irq/15/affinity_hint': Read-only file system
chown: changing ownership of '/proc/irq/15/smp_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/15/effective_affinity': Read-only file system
chown: changing ownership of '/proc/irq/15/effective_affinity_list': Read-only file system
chown: changing ownership of '/proc/irq/15': Read-only file system