container: Drop privileges

A container is best served with the least amount of privileges. This also ensures we don't have to drop anything later. This does require running the container with elevated capabilities. Note, that if for whatever reason, 'root' access within the container is needed, this can easily be accomplished by running the container with `docker run --user root:root sslh` for example. Signed-off-by: Olliver Schinagl <[email protected]>
thinkst-cs · Jun 5, 2023 · 9dd5604 · 9dd5604
1 parent db5ed29
commit 9dd5604
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -22,3 +22,5 @@ RUN apk --no-cache add libconfig pcre2
 
 COPY "./container-entrypoint.sh" "/init"
 ENTRYPOINT [ "/init" ]
+
+USER nobody:nogroup
diff --git a/README.md b/README.md
@@ -47,6 +47,8 @@ How to use
 
 ```bash
 docker run \
+  --cap-add CAP_NET_RAW \
+  --cap-add CAP_NET_BIND_SERVICES \
   --rm \
   -it \
   ghcr.io/yrutschle/sslh:latest \
Original file line number	Diff line number	Diff line change
Expand Up		@@ -22,3 +22,5 @@ RUN apk --no-cache add libconfig pcre2

		COPY "./container-entrypoint.sh" "/init"
		ENTRYPOINT [ "/init" ]

		USER nobody:nogroup