vh/NetAlertX
1
0
Fork 0
mirror of https://github.com/jokob-sk/NetAlertX.git synced 2026-03-31 07:12:23 -07:00
Code Issues Actions 15 Packages Projects Releases Wiki Activity

Initial rewrite of no NetAlertX user required.

Browse Source
This commit is contained in:
Adam Outler
2025-12-09 01:13:00 +00:00
parent f59f44a85e
commit 95b2b42b90
4 changed files with 28 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
Dockerfile
View File

@@ -50,6 +50,12 @@ RUN python -m pip install --upgrade pip setuptools wheel && \
FROM alpine:3.22 AS runner
ARG INSTALL_DIR=/app
# Runtime service account (override at build; container user can still be overridden at run time)
ARG NETALERTX_UID=20211
ARG NETALERTX_GID=20211
# Read-only lock owner (kept at 20211 by default for immutability)
ARG READONLY_UID=20211
ARG READONLY_GID=20211
# NetAlertX app directories
ENV NETALERTX_APP=${INSTALL_DIR}
@@ -129,8 +135,8 @@ RUN apk add --no-cache bash mtr libbsd zip lsblk tzdata curl arp-scan iproute2 i
nginx supercronic shadow && \
rm -Rf /var/cache/apk/* && \
rm -Rf /etc/nginx && \
addgroup -g 20211 ${NETALERTX_GROUP} && \
adduser -u 20211 -D -h ${NETALERTX_APP} -G ${NETALERTX_GROUP} ${NETALERTX_USER} && \
addgroup -g ${NETALERTX_GID} ${NETALERTX_GROUP} && \
adduser -u ${NETALERTX_UID} -D -h ${NETALERTX_APP} -G ${NETALERTX_GROUP} ${NETALERTX_USER} && \
apk del shadow
@@ -150,8 +156,8 @@ RUN install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 700 ${READ_WRITE_FO
COPY --chown=${NETALERTX_USER}:${NETALERTX_GROUP} .[V]ERSION ${NETALERTX_APP}/.VERSION
COPY --chown=${NETALERTX_USER}:${NETALERTX_GROUP} .[V]ERSION ${NETALERTX_APP}/.VERSION_PREV
# Copy the virtualenv from the builder stage
COPY --from=builder --chown=20212:20212 ${VIRTUAL_ENV} ${VIRTUAL_ENV}
# Copy the virtualenv from the builder stage (owned by readonly lock owner)
COPY --from=builder --chown=${READONLY_UID}:${READONLY_GID} ${VIRTUAL_ENV} ${VIRTUAL_ENV}
# Initialize each service with the dockerfiles/init-*.sh scripts, once.
@@ -162,7 +168,7 @@ RUN for vfile in .VERSION .VERSION_PREV; do \
if [ ! -f "${NETALERTX_APP}/${vfile}" ]; then \
echo "DEVELOPMENT 00000000" > "${NETALERTX_APP}/${vfile}"; \
fi; \
chown 20212:20212 "${NETALERTX_APP}/${vfile}"; \
chown ${READONLY_UID}:${READONLY_GID} "${NETALERTX_APP}/${vfile}"; \
done && \
apk add --no-cache libcap && \
setcap cap_net_raw+ep /bin/busybox && \
@@ -187,6 +193,12 @@ ENTRYPOINT ["/bin/sh","/entrypoint.sh"]
# This stage is separate from Runner stage so that devcontainer can use the Runner stage.
FROM runner AS hardened
# Re-declare UID/GID args for this stage
ARG NETALERTX_UID=20211
ARG NETALERTX_GID=20211
ARG READONLY_UID=20211
ARG READONLY_GID=20211
ENV UMASK=0077
# Create readonly user and group with no shell access.
@@ -194,8 +206,8 @@ ENV UMASK=0077
# AI may claim this is stupid, but it's actually least possible permissions as
# read-only user cannot login, cannot sudo, has no write permission, and cannot even
# read the files it owns. The read-only user is ownership-as-a-lock hardening pattern.
RUN addgroup -g 20212 "${READ_ONLY_GROUP}" && \
adduser -u 20212 -G "${READ_ONLY_GROUP}" -D -h /app "${READ_ONLY_USER}"
RUN addgroup -g ${READONLY_GID} "${READ_ONLY_GROUP}" && \
adduser -u ${READONLY_UID} -G "${READ_ONLY_GROUP}" -D -h /app "${READ_ONLY_USER}"
# reduce permissions to minimum necessary for all NetAlertX files and folders