[FEATURE] Container privilege de-escalation (#1370)

* support for running as non-root

* forgot to save file

* removed write perms for user on entrypoint script

* preserve existing user behavior

* fix entrypoint permissions to account for non-root user

* typo in chmod on line 63

* better entrypoint script; moved to root

* execute bit

* support for running as non-root

* forgot to save file

* removed write perms for user on entrypoint script

* preserve existing user behavior

* fix entrypoint permissions to account for non-root user

* typo in chmod on line 63

* better entrypoint script; moved to root

* execute bit

* very rough draft documentation

* added missing header

* typo changes -> changed

* Update entrypoint.sh

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>

* Apply suggestions from code review

looks good

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>

Dockerfile

@@ -51,16 +51,20 @@ GOOS=linux GOARCH=amd64 CGO_ENABLED=1 go build -tags netgo -ldflags '-s -w -link
 # ===================================
 FROM alpine:3.12.0
 
-RUN apk --no-cache add ca-certificates tzdata
+COPY --from=builder-backend /go/src/app/cmd/authelia/authelia ./
+COPY ./entrypoint.sh /usr/local/bin/entrypoint.sh
+
+RUN apk --no-cache add ca-certificates su-exec tzdata
 
 WORKDIR /app
 
-COPY --from=builder-backend /go/src/app/cmd/authelia/authelia ./
-
 EXPOSE 9091
 
 VOLUME /config
 
 ENV PATH="/app:${PATH}"
+ENV PUID=0
+ENV PGID=0
 
-CMD ["authelia", "--config", "/config/configuration.yml"]
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+CMD ["--config", "/config/configuration.yml"]

Dockerfile.arm32v7

@@ -55,18 +55,21 @@ GOOS=linux GOARCH=arm CGO_ENABLED=1 CC=arm-linux-musleabihf-gcc go build -tags n
 FROM arm32v7/alpine:3.12.0
 
 COPY ./qemu-arm-static /usr/bin/qemu-arm-static
+COPY --from=builder-backend /go/src/app/cmd/authelia/authelia ./
+COPY ./entrypoint.sh /usr/local/bin/entrypoint.sh
 
-RUN apk --no-cache add ca-certificates tzdata && \
+RUN apk --no-cache add ca-certificates su-exec tzdata && \
     rm /usr/bin/qemu-arm-static
 
 WORKDIR /app
 
-COPY --from=builder-backend /go/src/app/cmd/authelia/authelia ./
-
 EXPOSE 9091
 
 VOLUME /config
 
 ENV PATH="/app:${PATH}"
+ENV PUID=0
+ENV PGID=0
 
-CMD ["authelia", "--config", "/config/configuration.yml"]
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+CMD ["--config", "/config/configuration.yml"]

Dockerfile.arm64v8

@@ -55,18 +55,21 @@ GOOS=linux GOARCH=arm64 CGO_ENABLED=1 CC=aarch64-linux-musl-gcc go build -tags n
 FROM arm64v8/alpine:3.12.0
 
 COPY ./qemu-aarch64-static /usr/bin/qemu-aarch64-static
+COPY --from=builder-backend /go/src/app/cmd/authelia/authelia ./
+COPY ./entrypoint.sh /usr/local/bin/entrypoint.sh
 
-RUN apk --no-cache add ca-certificates tzdata && \
+RUN apk --no-cache add ca-certificates su-exec tzdata && \
     rm /usr/bin/qemu-aarch64-static
 
 WORKDIR /app
 
-COPY --from=builder-backend /go/src/app/cmd/authelia/authelia ./
-
 EXPOSE 9091
 
 VOLUME /config
 
 ENV PATH="/app:${PATH}"
+ENV PUID=0
+ENV PGID=0
 
-CMD ["authelia", "--config", "/config/configuration.yml"]
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+CMD ["--config", "/config/configuration.yml"]

docs/security/measures.md

@@ -206,3 +206,61 @@ chain = DOCKER-USER
 If you are not using Docker remove the the line "chain = DOCKER-USER"
 
 Finally, restart the fail2ban service.
+
+## Container privilege de-escalation
+
+Authelia will run as root by default, there are two options to run as a non-root user. The first option is to use the
+Docker `--user` option on the command line or in docker-compose. The second option is to use the `PUID` and `PGID`
+environment variables. An added benefit of using the environment variables is the mounted volumes ownership will automatically
+be changed for you.
+
+### Docker user option
+
+With the Docker `--user` option, Docker will ensure Authelia is running as the user id and group id you specify.
+In order to use this option, you will need to mount the `/config` volume to a directory on the host and set
+the owner and group of that directory to the same user you supplied to docker. Running Authelia with `--user`
+without mounting a volume to `/config` or incorrectly setting the host systems directory owner will cause Authelia
+to exit immediately. The docker `--user` option will take precedence over the environment variables.
+
+On the command line, you would create your Authelia data directory, change ownership to your non-root user
+and run Authelia with `--user` set:
+```
+mkdir /authelia
+chown user:group /authelia
+docker run --user user:group -v /authelia:/config authelia/authelia:latest
+```
+
+As a docker-compose.yml file:
+```
+version: '3.8'
+services:
+  authelia:
+    image: authelia/authelia
+    container_name: authelia
+    user: 1000:1000
+    volumes:
+      - ./authelia:/config
+```
+
+### PUID/PGID environment variables
+
+If you choose to use the environment variables, the correct ownership will be applied automatically on startup of
+the container, so there's no need to `chown` before running, to use this on the command line use the following:
+
+```
+docker run -e PUID=1000 -e PGID=1000 -v /authelia:/config authelia:authelia:latest
+```
+
+As a docker-compose.yml file:
+```
+version: '3.8'
+services:
+  authelia:
+    image: authelia/authelia
+    container_name: authelia
+    environment:
+      PUID: 1000
+      PGID: 1000
+    volumes:
+      - ./authelia:/config
+```

entrypoint.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+if [[ ! -z ${1} ]] && [[ ${1} != "--config" ]]; then
+  exec "$@"
+elif [[ $(id -u) != 0 ]] || [[ $(id -g) != 0 ]]; then
+  exec authelia "$@"
+else
+  chown -R ${PUID}:${PGID} /config
+  exec su-exec ${PUID}:${PGID} authelia "$@"
+fi