mirror of
https://github.com/emikulic/darkhttpd.git
synced 2023-08-10 21:13:08 +03:00
6d5299e7da
* Drop privileges and run as `nobody:nobody`. * Chroot into `/var/www/htdocs`. * Compile with hardening options.
38 lines
1.2 KiB
Docker
38 lines
1.2 KiB
Docker
# Build environment
|
|
FROM alpine AS build
|
|
RUN apk add --no-cache build-base
|
|
WORKDIR /src
|
|
COPY . .
|
|
|
|
# Hardening GCC opts taken from these sources:
|
|
# https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
|
|
# https://security.stackexchange.com/q/24444/204684
|
|
ENV CFLAGS=" \
|
|
-static \
|
|
-O2 \
|
|
-flto \
|
|
-D_FORTIFY_SOURCE=2 \
|
|
-fstack-clash-protection \
|
|
-fstack-protector-strong \
|
|
-pipe \
|
|
-Wall \
|
|
-Werror=format-security \
|
|
-Werror=implicit-function-declaration \
|
|
-Wl,-z,defs \
|
|
-Wl,-z,now \
|
|
-Wl,-z,relro \
|
|
-Wl,-z,noexecstack \
|
|
"
|
|
RUN make darkhttpd-static \
|
|
&& strip darkhttpd-static
|
|
|
|
# Just the static binary
|
|
FROM scratch
|
|
WORKDIR /var/www/htdocs
|
|
COPY --from=build --chown=0:0 /src/darkhttpd-static /darkhttpd
|
|
COPY --chown=0:0 passwd /etc/passwd
|
|
COPY --chown=0:0 group /etc/group
|
|
EXPOSE 80
|
|
ENTRYPOINT ["/darkhttpd"]
|
|
CMD [".", "--chroot", "--uid", "nobody", "--gid", "nobody"]
|