add user-IDs to all containers

Signed-off-by: Simon L. <szaimen@e.mail.de>
2025-09-18 04:25:59 +08:00 · 2024-11-06 14:29:18 +01:00 · 2024-11-06 14:29:18 +01:00 · faecc028fe
commit faecc028fe
parent 5499bc8a5d
11 changed files with 24 additions and 10 deletions
--- a/Containers/apache/Dockerfile
+++ b/Containers/apache/Dockerfile
@ -81,7 +81,7 @@ RUN set -ex; \
    \
    echo "root:$(openssl rand -base64 12)" | chpasswd

-USER www-data
+USER 33

 ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
--- a/Containers/clamav/Dockerfile
+++ b/Containers/clamav/Dockerfile
@ -19,7 +19,7 @@ RUN set -ex; \

 VOLUME /var/lib/clamav

-USER clamav
+USER 100

 LABEL com.centurylinklabs.watchtower.enable="false"

--- a/Containers/imaginary/Dockerfile
+++ b/Containers/imaginary/Dockerfile
@ -33,7 +33,7 @@ COPY --chmod=775 start.sh /start.sh

 ENV PORT=9000

-USER nobody
+USER 65534

 # https://github.com/h2non/imaginary#memory-issues
 ENV MALLOC_ARENA_MAX=2
--- a/Containers/postgresql/Dockerfile
+++ b/Containers/postgresql/Dockerfile
@ -39,7 +39,7 @@ RUN set -ex; \

 VOLUME /mnt/data

-USER postgres
+USER 999
 ENTRYPOINT ["/start.sh"]

 HEALTHCHECK CMD /healthcheck.sh
--- a/Containers/redis/Dockerfile
+++ b/Containers/redis/Dockerfile
@ -14,7 +14,7 @@ RUN set -ex; \
 # Get rid of unused binaries
    rm -f /usr/local/bin/gosu;

-USER redis
+USER 999
 ENTRYPOINT ["/start.sh"]

 HEALTHCHECK CMD redis-cli -a $REDIS_HOST_PASSWORD PING || exit 1
--- a/Containers/talk-recording/Dockerfile
+++ b/Containers/talk-recording/Dockerfile
@ -28,7 +28,7 @@ RUN set -ex; \
        build-base \
        linux-headers \
        geckodriver; \
-    useradd -d /tmp --system recording; \
+    useradd -d /tmp --system recording -u 1000; \
 # Give root a random password
    echo "root:$(openssl rand -base64 12)" | chpasswd; \
    git clone --recursive https://github.com/nextcloud/nextcloud-talk-recording --depth=1 --single-branch --branch "$RECORDING_VERSION" /src; \
@ -49,7 +49,7 @@ RUN set -ex; \
        linux-headers;

 WORKDIR /tmp
-USER recording
+USER 1000
 ENTRYPOINT ["/start.sh"]
 CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/conf/recording.conf"]

--- a/Containers/talk/Dockerfile
+++ b/Containers/talk/Dockerfile
@ -99,7 +99,7 @@ RUN set -ex; \
    ln -s /opt/eturnal/bin/stun /usr/local/bin/stun; \
    ln -s /opt/eturnal/bin/eturnalctl /usr/local/bin/eturnalctl

-USER eturnal
+USER 1000
 ENTRYPOINT ["/start.sh"]
 CMD ["supervisord", "-c", "/supervisord.conf"]

--- a/Containers/whiteboard/Dockerfile
+++ b/Containers/whiteboard/Dockerfile
@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:latest
 FROM ghcr.io/nextcloud-releases/whiteboard:v1.0.4

-USER root
+USER 65534
 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache bash
--- a/manual-install/update-yaml.sh
+++ b/manual-install/update-yaml.sh
@ -19,6 +19,7 @@ OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].backup_volumes)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].nextcloud_exec_commands)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].image_tag)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].networks)')"
+OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].documentation)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-watchtower"))')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-domaincheck"))')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-borgbackup"))')"
--- a/php/containers-schema.json
+++ b/php/containers-schema.json
@ -68,6 +68,9 @@
 					"stop_grace_period": {
 						"type": "integer"
 					},
+					"user": {
+						"type": "integer"
+					},
 					"ports": {
 						"type": "array",
 						"items": {
--- a/php/containers.json
+++ b/php/containers.json
@ -13,6 +13,7 @@
      ],
      "display_name": "Apache",
      "image": "nextcloud/aio-apache",
+      "user": 33,
      "init": true,
      "ports": [
        {
@ -78,6 +79,7 @@
      "image_tag": "%AIO_CHANNEL%",
      "display_name": "Database",
      "image": "nextcloud/aio-postgresql",
+      "user": 999,
      "init": true,
      "expose": [
        "5432"
@ -251,6 +253,7 @@
      "image_tag": "%AIO_CHANNEL%",
      "display_name": "Notify Push",
      "image": "nextcloud/aio-notify-push",
+      "user": 33,
      "init": true,
      "expose": [
        "7867"
@ -292,6 +295,7 @@
      "image_tag": "%AIO_CHANNEL%",
      "display_name": "Redis",
      "image": "nextcloud/aio-redis",
+      "user": 999,
      "init": true,
      "expose": [
        "6379"
@ -328,6 +332,7 @@
      "documentation": "https://github.com/nextcloud/all-in-one/discussions/1358",
      "display_name": "Collabora",
      "image": "nextcloud/aio-collabora",
+      "user": 100,
      "init": true,
      "expose": [
        "9980"
@ -366,6 +371,7 @@
      "documentation": "https://github.com/nextcloud/all-in-one/discussions/1358",
      "display_name": "Talk",
      "image": "nextcloud/aio-talk",
+      "user": 1000,
      "init": true,
      "ports": [
        {
@ -422,6 +428,7 @@
      "image_tag": "%AIO_CHANNEL%",
      "display_name": "Talk Recording",
      "image": "nextcloud/aio-talk-recording",
+      "user": 1000,
      "init": true,
      "expose": [
        "1234"
@ -575,6 +582,7 @@
      "image_tag": "%AIO_CHANNEL%",
      "display_name": "ClamAV",
      "image": "nextcloud/aio-clamav",
+      "user": 100,
      "init": false,
      "expose": [
        "3310"
@ -655,6 +663,7 @@
      "image_tag": "%AIO_CHANNEL%",
      "display_name": "Imaginary",
      "image": "nextcloud/aio-imaginary",
+      "user": 65534,
      "init": true,
      "expose": [
        "9000"
@ -760,6 +769,7 @@
      "image_tag": "%AIO_CHANNEL%",
      "display_name": "Whiteboard",
      "image": "nextcloud/aio-whiteboard",
+      "user": 65534,
      "init": true,
      "expose": [
        "3002"