From 452baddd16cc6ba61a073837d6f0f5c1246f7c8c Mon Sep 17 00:00:00 2001 From: Peter Levart Date: Thu, 3 Jul 2025 22:43:37 +0200 Subject: [PATCH 1/2] fix permissions of files to allow running as non-root --- Dockerfile | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index d5098ae8f8a..3e563a007d1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,14 +24,16 @@ ENV API_KEY="**None**" \ CORS="true" \ EMBEDDING="false" -COPY --chown=nginx:nginx --chmod=0666 ./docker/default.conf.template ./docker/cors.conf ./docker/embedding.conf /etc/nginx/templates/ +COPY --chmod=0644 ./docker/default.conf.template ./docker/cors.conf ./docker/embedding.conf /etc/nginx/templates/ COPY --chmod=0666 ./dist/* /usr/share/nginx/html/ -COPY --chmod=0555 ./docker/docker-entrypoint.d/ /docker-entrypoint.d/ -COPY --chmod=0666 ./docker/configurator /usr/share/nginx/configurator +COPY --chmod=0755 ./docker/docker-entrypoint.d/ /docker-entrypoint.d/ +COPY --chmod=0644 ./docker/configurator /usr/share/nginx/configurator # Simulates running NGINX as a non root; in future we want to use nginxinc/nginx-unprivileged. # In future we will have separate unpriviledged images tagged as v5.1.2-unprivileged. -RUN chmod 777 /usr/share/nginx/html/ /etc/nginx/conf.d/ /etc/nginx/conf.d/default.conf /var/cache/nginx/ /var/run/ +RUN chmod 777 /etc/nginx/conf.d/ /usr/share/nginx/html/ /var/cache/nginx/ /var/run/ && \ + chmod 666 /etc/nginx/conf.d/default.conf /usr/share/nginx/html/swagger-initializer.js && \ + chmod 755 /etc/nginx/templates /usr/share/nginx/configurator EXPOSE 8080 From 972ff8b7f8caf9742a9d8d9bfafd91ee73e89627 Mon Sep 17 00:00:00 2001 From: Peter Levart Date: Thu, 3 Jul 2025 23:06:14 +0200 Subject: [PATCH 2/2] files in /usr/share/nginx/html/ don't need to be overwritten except one: swagger-initializer.js --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 3e563a007d1..27e167a9fdd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,7 +26,7 @@ ENV API_KEY="**None**" \ COPY --chmod=0644 ./docker/default.conf.template ./docker/cors.conf ./docker/embedding.conf /etc/nginx/templates/ -COPY --chmod=0666 ./dist/* /usr/share/nginx/html/ +COPY --chmod=0644 ./dist/* /usr/share/nginx/html/ COPY --chmod=0755 ./docker/docker-entrypoint.d/ /docker-entrypoint.d/ COPY --chmod=0644 ./docker/configurator /usr/share/nginx/configurator