More secure Dockerfile

* Drop privileges and run as `nobody:nobody`. * Chroot into `/var/www/htdocs`. * Compile with hardening options.
2023-08-10 21:13:08 +03:00 · 2022-11-25 16:47:28 -03:00 · 2022-11-25 16:47:28 -03:00 · 6d5299e7da
commit 6d5299e7da
parent defc1e8ce9
3 changed files with 26 additions and 3 deletions
--- a/27
+++ b/27
@ -3,14 +3,35 @@ FROM alpine AS build
 RUN apk add --no-cache build-base
 WORKDIR /src
 COPY . .
+
+# Hardening GCC opts taken from these sources:
+# https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
+# https://security.stackexchange.com/q/24444/204684
+ENV CFLAGS=" \
+  -static                                 \
+  -O2                                     \
+  -flto                                   \
+  -D_FORTIFY_SOURCE=2                     \
+  -fstack-clash-protection                \
+  -fstack-protector-strong                \
+  -pipe                                   \
+  -Wall                                   \
+  -Werror=format-security                 \
+  -Werror=implicit-function-declaration   \
+  -Wl,-z,defs                             \
+  -Wl,-z,now                              \
+  -Wl,-z,relro                            \
+  -Wl,-z,noexecstack                      \
+"
 RUN make darkhttpd-static \
 && strip darkhttpd-static

 # Just the static binary
 FROM scratch
 WORKDIR /var/www/htdocs
-COPY --from=build /src/darkhttpd-static /darkhttpd
+COPY --from=build --chown=0:0 /src/darkhttpd-static /darkhttpd
+COPY --chown=0:0 passwd /etc/passwd
+COPY --chown=0:0 group /etc/group
 EXPOSE 80
 ENTRYPOINT ["/darkhttpd"]
-CMD ["."]
-
+CMD [".", "--chroot", "--uid", "nobody", "--gid", "nobody"]
--- a/1
+++ b/1
@ -0,0 +1 @@
+nobody:x:65534:
--- a/1
+++ b/1
@ -0,0 +1 @@
+nobody:x:65534:65534:nobody:/var/www/htdocs:/darkhttpd
				`@ -0,0 +1 @@`
				`nobody:x:65534:65534:nobody:/var/www/htdocs:/darkhttpd`