Dropped privileges from root to nobody, added capabilities with capsh

2022-08-02 13:13:58 +00:00
parent 41033c599e
commit 02ae916f58
4 changed files with 22 additions and 13 deletions
--- a/backend/docker-entrypoint.sh
+++ b/backend/docker-entrypoint.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+chown nobody:nobody -R /execute/
+
+capsh --caps="cap_net_admin+eip cap_setpcap,cap_setuid,cap_setgid+ep" \
+    --keep=1 --user=nobody --addamb=cap_net_admin -- \
+    -c "python3 /execute/app.py DOCKER"
+
+