Merge pull request #7 from komacke/harden-deployment

komacke · web-flow · commit 3093d83e1977 · 2026-03-21T18:49:55.000-07:00
Harden deployment
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -2,17 +2,32 @@
 ## REFER TO THE DOCUMENTATION FOR CONFIGURATION OF YOUR HAMCLOCK!
 FROM alpine:3.23
 ARG HC_SIZE
+ARG HC_UID
+ARG HC_GID
 
 USER root
-WORKDIR /root/hamclock
+WORKDIR /opt/hamclock
 # Install prerequisites
 RUN apk update && \
     apk add curl make g++ libx11-dev openssl unzip perl && \
     rm -rf /var/cache/apk/*
 
 # Install Hamclock
 COPY ESPHamClock/ ESPHamClock/
-RUN cd ESPHamClock && \
+COPY hamclock-contrib/ hamclock-contrib/
+COPY docker/run.sh ./
+COPY docker/backend_host ./
+RUN addgroup -g $HC_GID hamclock && \
+    adduser  -u $HC_UID -G hamclock -h /opt -HD -s /sbin/nologin hamclock && \
+    \
+    cp hamclock-contrib/hceeprom.pl ESPHamClock/ && \
+    chmod +x ESPHamClock/hceeprom.pl && \
+    chmod +x run.sh && \
+    \
+    mkdir /opt/.hamclock && \
+    chown -R hamclock:hamclock /opt/hamclock /opt/.hamclock && \
+    cd ESPHamClock && \
+    \
     if [ -n "$HC_SIZE" ]; then \
         make -j 4 hamclock-web-${HC_SIZE} && \
         make install && \
@@ -23,19 +38,10 @@ RUN cd ESPHamClock && \
             cp hamclock-web-$size /usr/local/bin/ && \
             make clean; \
         done; \
-        chown root /usr/local/bin/hamclock-web-* && \
-        chmod u+s /usr/local/bin/hamclock-web-*; \
+        chown hamclock /usr/local/bin/hamclock-web-*; \
     fi
 
-COPY hamclock-contrib/ hamclock-contrib/
-# Install Hamclock Contrib and move hceeprom to hamclock directory
-RUN cp hamclock-contrib/hceeprom.pl /root/hamclock/ESPHamClock && \
-    chmod +x /root/hamclock/ESPHamClock/hceeprom.pl
-
-# Copy runfile
-COPY docker/run.sh ./
-COPY docker/backend_host ./
-RUN chmod +x run.sh
+USER hamclock
 
-WORKDIR /root/hamclock/ESPHamClock
-CMD ["/root/hamclock/run.sh"]
+WORKDIR /opt/hamclock/ESPHamClock
+CMD ["/opt/hamclock/run.sh"]
diff --git a/docker/build-image.sh b/docker/build-image.sh
@@ -2,6 +2,8 @@
 
 # Variables to set
 IMAGE_BASE=komacke/hamclock
+HC_UID=1199
+HC_GID=1199
 
 # Don't set anything past here
 TAG=$(git describe --exact-match --tags 2>/dev/null)
@@ -135,9 +137,9 @@ build_image() {
     pushd "$HERE/.." >/dev/null
     echo $GIT_VERSION > git.version
     if [ $MULTI_PLATFORM == true ]; then
-        docker buildx build $NOCACHE_ARG --pull $SET_HC_SIZE -t $IMAGE -f docker/Dockerfile --platform linux/amd64,linux/arm64 --push .
+        docker buildx build $NOCACHE_ARG --pull --build-arg HC_UID=$HC_UID --build-arg HC_GID=$HC_GID $SET_HC_SIZE -t $IMAGE -f docker/Dockerfile --platform linux/amd64,linux/arm64 --push .
     else
-        docker build $NOCACHE_ARG --pull $SET_HC_SIZE -t $IMAGE -f docker/Dockerfile .
+        docker build $NOCACHE_ARG --pull --build-arg HC_UID=$HC_UID --build-arg HC_GID=$HC_GID $SET_HC_SIZE -t $IMAGE -f docker/Dockerfile .
     fi
     rm -f git.version
     RETVAL=$?
diff --git a/docker/manage-hc-docker.sh b/docker/manage-hc-docker.sh
@@ -8,6 +8,7 @@ IMAGE_BASE=komacke/hamclock
 # Get our directory locations in order
 HERE="$(realpath -s "$(dirname "$0")" 2>/dev/null)"
 [ -z "$HERE" ] && HERE="$(realpath "$(dirname "$0")")"
+REL_HERE="$(dirname "$0")"
 THIS="$(basename "$0")"
 STARTED_FROM="$PWD"
 cd $HERE
@@ -24,6 +25,8 @@ DEFAULT_BACKEND_HOST=-
 DEFAULT_HC_SIZE=-
 # the following env is the lighttpd env file
 DEFAULT_HC_EEPROM=hc.settings
+HC_UID=1199
+HC_GID=1199
 
 # the following env is for sticky settings
 STICKY_ENV_FILE=$DOCKER_PROJECT.env
@@ -413,7 +416,7 @@ docker_compose_up() {
         docker_compose_yml && docker compose -f <(echo "$DOCKER_COMPOSE_YML") create
         RETVAL=$?
         [ $RETVAL -ne 0 ] && return $RETVAL
-        docker compose $INITIAL_CONFIG_FILE -f <(echo "$DOCKER_COMPOSE_YML") up -d
+        docker compose -f <(echo "$DOCKER_COMPOSE_YML") up -d
         RETVAL=$?
     fi
 
@@ -687,7 +690,75 @@ determine_eeprom_file() {
     if [ ! -e "$HC_EEPROM" ]; then
         touch "$HC_EEPROM"
         if [ -r "$HERE/config.env" ]; then
-            INITIAL_CONFIG_FILE="--env-file $HERE/config.env"
+            INITIAL_CONFIG_FILE="env_file:
+      - $HERE/config.env"
+        fi
+    fi
+
+    hc_settings_perms
+}
+
+# checking if the HC_EEPROM file is writable by the user in the container. If not the
+# container will crash and we need to fix it.
+hc_settings_perms() {
+    # hc.settings needs to be writable by user 1199:1199
+    HC_PERMS=$(stat -c '%a' "$HC_EEPROM")
+
+    # who owns it
+    HC_OWN=$(stat -c '%u' "$HC_EEPROM")
+    HC_GRP=$(stat -c '%g' "$HC_EEPROM")
+
+    CAN_ACCESS=false
+
+    # test for u+rw
+    if [[ "$HC_OWN" == "$HC_UID" && "$HC_PERMS" == [67]?? ]]; then
+        CAN_ACCESS=true
+
+    # test for g+rw
+    elif [[ "$HC_GRP" == "$HC_GID" && "$HC_PERMS" == ?[67]? ]]; then
+        CAN_ACCESS=true
+
+    # test for o+rw
+    elif [[ "$HC_PERMS" == ??[67] ]]; then
+        CAN_ACCESS=true
+
+    # otherwise try to fix it
+    else
+
+        # set o+rw
+        chmod o+rw "$HC_EEPROM" >/dev/null 2>&1
+        PERM_RETVAL=$?
+
+        # if we couldn't set it, we can copy it, delete the original and
+        # set the perms
+        if [ $PERM_RETVAL -ne 0 ]; then
+
+            # we can do it if the container isn't holding the fh
+            get_current_image_tag
+            if [ "$CURRENT_DOCKER_IMAGE" == null ]; then
+                cp "$HC_EEPROM" "$HC_EEPROM.tmp"
+                rm -f "$HC_EEPROM"
+                mv "$HC_EEPROM.tmp" "$HC_EEPROM"
+                chmod o+rw $HC_EEPROM >/dev/null 2>&1
+                PERM_RETVAL=$?
+                if [ $PERM_RETVAL -eq 0 ]; then
+                    CAN_ACCESS=true
+                else
+                    CAN_ACCESS=false
+                fi
+
+            # otherwise we need to take harsher measures.
+            else
+                CAN_ACCESS=false
+            fi
+        fi
+    fi
+
+    # take harsher measures - down the container and don't cause an infinite loop
+    if [ $CAN_ACCESS == false ]; then
+        if [ ${FUNCNAME[3]} != docker_compose_down ]; then
+            docker_compose_down
+            [ ${FUNCNAME[1]} != hc_settings_perms ] && hc_settings_perms
         fi
     fi
 }
@@ -808,6 +879,7 @@ services:
       - UTC_OFFSET=0
       $DC_BACKEND_HOST
       $DC_HC_SIZE
+    $INITIAL_CONFIG_FILE
     container_name: $CONTAINER
     image: $IMAGE
     restart: unless-stopped
@@ -817,7 +889,7 @@ services:
     volumes:
       - type: bind
         source: $HC_EEPROM
-        target: /root/.hamclock/eeprom
+        target: /opt/.hamclock/eeprom
         bind:
           selinux: Z
     healthcheck:
diff --git a/docker/run.sh b/docker/run.sh
@@ -5,14 +5,14 @@ if [ -z "$HC_SIZE" ]; then
     HC_SIZE=2400x1440
 fi
 
-if [ -z "$BACKEND_HOST" -a -e /root/hamclock/backend_host ]; then
-    BACKEND_HOST="$(grep -v '^#' /root/hamclock/backend_host)"
+if [ -z "$BACKEND_HOST" -a -e /opt/hamclock/backend_host ]; then
+    BACKEND_HOST="$(grep -v '^#' /opt/hamclock/backend_host)"
 fi
 if [ -n "$BACKEND_HOST" ]; then
     BACKEND_ARG="-b $BACKEND_HOST"
 fi
 
-# these values only matter if there is not a /root/.hamclock/eeprom file.
+# these values only matter if there is not an /opt/.hamclock/eeprom file.
 perl hceeprom.pl NV_CALLSIGN $CALLSIGN && \
 perl hceeprom.pl NV_DE_GRID $LOCATOR && \
 perl hceeprom.pl NV_DE_LAT $LAT && \
