fix: `WORKDIR` before `adduser` avoids surprises

The additions from `adduser` reading `/etc` does not appear to apply if the directory already exists, and permissions (including SGID) are adjusted properly for the home dir.

This mean the excess backup copies in `/etc` are introduced again however.
This commit is contained in:
Brennan Kinney 2023-03-22 21:16:50 +13:00
parent 48c180d0d8
commit 0b86094ab9
1 changed files with 5 additions and 15 deletions

View File

@ -70,24 +70,14 @@ EOF
FROM scratch
ARG INSTALL_ROOT
COPY --link --from=builder ${INSTALL_ROOT} /
RUN <<EOF
# Create user:
echo 'testssl:x:1000:1000::/home/testssl:/bin/bash' >> /etc/passwd
echo 'testssl:x:1000:' >> /etc/group
echo 'testssl:!::0:::::' >> /etc/shadow
# Create user home with SGID set:
install --mode 2755 --owner testssl --group testssl --directory /home/testssl
# Add relative symlink to point to content that will COPY later:
ln -sr /home/testssl/testssl.sh /usr/local/bin/
WORKDIR /home/testssl
RUN --mount=type=bind,from=busybox:latest,source=/bin,target=/bin <<EOF
/bin/adduser -D -s /bin/bash testssl
/bin/ln -s /home/testssl/testssl.sh /usr/local/bin/
EOF
USER testssl
WORKDIR /home/testssl/
# Copy over build context (after filtered by .dockerignore): bin/ etc/ testssl.sh
COPY --chown=testssl:testssl . /home/testssl/
USER testssl
ENTRYPOINT ["testssl.sh"]
CMD ["--help"]