More secure Dockerfile

* Drop privileges and run as `nobody:nobody`.
* Chroot into `/var/www/htdocs`.
* Compile with hardening options.

Dockerfile

@@ -3,14 +3,35 @@ FROM alpine AS build
 RUN apk add --no-cache build-base
 WORKDIR /src
 COPY . .
+
+# Hardening GCC opts taken from these sources:
+# https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
+# https://security.stackexchange.com/q/24444/204684
+ENV CFLAGS=" \
+  -static                                 \
+  -O2                                     \
+  -flto                                   \
+  -D_FORTIFY_SOURCE=2                     \
+  -fstack-clash-protection                \
+  -fstack-protector-strong                \
+  -pipe                                   \
+  -Wall                                   \
+  -Werror=format-security                 \
+  -Werror=implicit-function-declaration   \
+  -Wl,-z,defs                             \
+  -Wl,-z,now                              \
+  -Wl,-z,relro                            \
+  -Wl,-z,noexecstack                      \
+"
 RUN make darkhttpd-static \
  && strip darkhttpd-static
 
 # Just the static binary
 FROM scratch
 WORKDIR /var/www/htdocs
-COPY --from=build /src/darkhttpd-static /darkhttpd
+COPY --from=build --chown=0:0 /src/darkhttpd-static /darkhttpd
+COPY --chown=0:0 passwd /etc/passwd
+COPY --chown=0:0 group /etc/group
 EXPOSE 80
 ENTRYPOINT ["/darkhttpd"]
-CMD ["."]
+CMD [".", "--chroot", "--uid", "nobody", "--gid", "nobody"]
-

group

@@ -0,0 +1 @@
+nobody:x:65534:

passwd

@@ -0,0 +1 @@
+nobody:x:65534:65534:nobody:/var/www/htdocs:/darkhttpd