From e59984067b5a2530ef1afeeaa24161a6242e0c73 Mon Sep 17 00:00:00 2001 From: Fredrik Fornwall Date: Sun, 22 Jan 2017 23:13:48 +0100 Subject: [PATCH] Use non-root user when using docker We now use a non-root user when building packages using a docker container. This allows detecting misconfigured packages which try to install files outside of $TERMUX_PREFIX or otherwise mess with the system during a build. --- scripts/Dockerfile | 26 ++++++++++++++------------ scripts/run-docker.sh | 10 +++------- 2 files changed, 17 insertions(+), 19 deletions(-) diff --git a/scripts/Dockerfile b/scripts/Dockerfile index 43f4ba577..2c750466a 100644 --- a/scripts/Dockerfile +++ b/scripts/Dockerfile @@ -9,26 +9,28 @@ FROM ubuntu:16.10 # Fix locale to avoid warnings: ENV LANG C.UTF-8 -# We expect this to be mounted with '-v $PWD:/root/termux-packages': -WORKDIR /root/termux-packages - # Needed for setup: ADD ./setup-ubuntu.sh /tmp/setup-ubuntu.sh ADD ./setup-android-sdk.sh /tmp/setup-android-sdk.sh -# Allow configure to be run as root: -ENV FORCE_UNSAFE_CONFIGURE 1 - # Setup needed packages and the Android SDK and NDK: RUN apt-get update && \ - DEBIAN_FRONTEND=noninteractive apt-get install -yq sudo && \ - /tmp/setup-ubuntu.sh && \ - apt-get clean && \ - /tmp/setup-android-sdk.sh && \ + apt-get -yq upgrade && \ + apt-get install -yq sudo && \ + adduser --disabled-password --shell /bin/bash --gecos "" builder && \ + echo "builder ALL=(root) NOPASSWD:ALL" > /etc/sudoers.d/builder && \ + chmod 0440 /etc/sudoers.d/builder && \ + su - builder -c /tmp/setup-ubuntu.sh && \ + su - builder -c /tmp/setup-android-sdk.sh && \ # Removed unused parts to make a smaller Docker image: - cd /root/lib/android-ndk/ && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* && \ + cd /home/builder/lib/android-ndk/ && \ rm -Rf toolchains/mips* && \ rm -Rf sources/cxx-stl/gabi++ sources/cxx-stl/llvm-libc++* sources/cxx-stl/system/ sources/cxx-stl/stlport && \ cd platforms && ls | grep -v android-21 | xargs rm -Rf && \ - cd /root/lib/android-sdk/tools && rm -Rf emulator* lib* proguard templates + cd /home/builder/lib/android-sdk/tools && rm -Rf emulator* lib* proguard templates + +# We expect this to be mounted with '-v $PWD:/home/builder/termux-packages': +WORKDIR /home/builder/termux-packages diff --git a/scripts/run-docker.sh b/scripts/run-docker.sh index d14127d07..f751cf89a 100755 --- a/scripts/run-docker.sh +++ b/scripts/run-docker.sh @@ -1,10 +1,6 @@ #!/bin/sh set -e -u -# Read settings from .termuxrc if existing -test -f $HOME/.termuxrc && . $HOME/.termuxrc -: ${TERMUX_TOPDIR:="$HOME/.termux-build"} - IMAGE_NAME=termux/package-builder CONTAINER_NAME=termux-package-builder @@ -15,14 +11,14 @@ docker start $CONTAINER_NAME > /dev/null 2> /dev/null || { docker run \ -d \ --name $CONTAINER_NAME \ - -v $PWD:/root/termux-packages \ + -v $PWD:/home/builder/termux-packages \ -t $IMAGE_NAME } if [ "$#" -eq "0" ]; then - docker exec -it $CONTAINER_NAME bash + docker exec -i -t -u builder $CONTAINER_NAME bash else - docker exec -it $CONTAINER_NAME $@ + docker exec -i -t -u builder $CONTAINER_NAME $@ fi