Browse Source

Don't use DATADIR

We need to make sure the path to homedir is all root-owned as
per sshd_config man page (ChrootDirectory option). So just ditch all
that and force the /home/data path but chown/chmod everything bellow
it to the UID/GID requested.
master
parent
commit
1414e707e6
  1. 8
      Dockerfile
  2. 6
      entrypoint.sh

8
Dockerfile

@ -2,15 +2,14 @@ @@ -2,15 +2,14 @@
# This image is designed to collaborate with the Docker Hub image httpd:2.4
FROM debian:stable
ENV DATADIR=/usr/local/apache2/htdocs AUTHORIZED_KEYS_FILE=/authorized_keys USERID=33 GROUPID=33 OWNER=data
ENV AUTHORIZED_KEYS_FILE=/authorized_keys USERID=33 GROUPID=33
RUN apt update \
&& apt install -y openssh-server
RUN rm -f /etc/ssh/ssh_host_* \
&& groupadd --non-unique --gid $GROUPID data \
&& useradd --non-unique --uid $USERID --gid $GROUPID --no-create-home --home-dir $DATADIR $OWNER \
&& mkdir -p "$DATADIR" \
&& chown $OWNER "$DATADIR" \
&& useradd --non-unique --uid $USERID --gid $GROUPID --no-create-home --home-dir /home/data $OWNER \
&& mkdir -p /home/data \
&& mkdir -p /etc/ssh/host_keys/ \
&& echo "AuthorizedKeysFile $AUTHORIZED_KEYS_FILE" >> /etc/ssh/sshd_config \
&& echo "HostKey /etc/ssh/host_keys/ssh_host_ecdsa_key" >> /etc/ssh/sshd_config \
@ -29,5 +28,6 @@ ADD entrypoint.sh / @@ -29,5 +28,6 @@ ADD entrypoint.sh /
EXPOSE 22
VOLUME /etc/ssh/host_keys
VOLUME /home/data
CMD ["/entrypoint.sh"]

6
entrypoint.sh

@ -6,12 +6,12 @@ @@ -6,12 +6,12 @@
[ ! -f /etc/ssh/host_keys/ssh_host_ed25519_key ] && ssh-keygen -t ed25519 -f /etc/ssh/host_keys/ssh_host_ed25519_key
# Copy authorized keys from ENV variable
echo "$AUTHORIZED_KEYS" >$AUTHORIZED_KEYS_FILE
echo "$AUTHORIZED_KEYS" > $AUTHORIZED_KEYS_FILE
groupmod --non-unique --gid "$GROUPID" data
usermod --non-unique --home "$DATADIR" --uid "$USERID" --gid "$GROUPID" "$OWNER"
usermod --non-unique --uid "$USERID" --gid "$GROUPID" "$OWNER"
# Chown data folder (if mounted as a volume for the first time)
chown "${OWNER}:data" "$DATADIR"
chown -R "${OWNER}:data" "/home/data/*"
chown "${OWNER}:data" $AUTHORIZED_KEYS_FILE
# Run sshd on container start

Loading…
Cancel
Save