From 5624a5cd7203596ba520d637a9346bcee85a38bb Mon Sep 17 00:00:00 2001 From: labkey-willm Date: Thu, 16 Nov 2023 13:57:27 -0800 Subject: [PATCH 1/3] if DEBUG=1, add more tools/sudo and disable defanging --- Dockerfile | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2c87013..052e9c7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -150,9 +150,17 @@ RUN [ -n "${DEBUG}" ] && set -x; \ gettext-base=0.21-4ubuntu4 \ unzip=6.0-26ubuntu3.1 \ ; \ - [ -n "${DEBUG}" ] && apt-get -yq --no-install-recommends install tree=2.0.2-1; \ + [ -n "${DEBUG}" ] && apt-get -yq --no-install-recommends install \ + iputils-ping=3:20211215-1 \ + less=590-1ubuntu0.22.04.1 \ + netcat=1.218-4ubuntu1 \ + postgresql-client=14+238 \ + sudo=1.9.9-1ubuntu2.4 \ + tree=2.0.2-1 \ + vim=2:8.2.3995-1ubuntu2.13 \ + ; \ apt-get -yq upgrade; \ - apt-get -yq clean all && rm -rf /var/lib/apt/lists/*; \ + [ -z "${DEBUG}" ] && apt-get -yq clean all && rm -rf /var/lib/apt/lists/*; \ \ groupadd -r labkey \ --gid=2005; \ @@ -163,9 +171,10 @@ RUN [ -n "${DEBUG}" ] && set -x; \ --shell=/bin/bash \ labkey; \ \ - chmod u-s /usr/bin/su /usr/bin/mount /usr/bin/chfn /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/umount /usr/bin/chsh /usr/bin/passwd; \ - chmod g-s /usr/bin/expiry /usr/bin/chage /usr/bin/wall /usr/sbin/pam_extrausers_chkpwd /usr/sbin/unix_chkpwd; \ - rm -rfv /var/lib/apt/lists; \ + [ -n "${DEBUG}" ] && adduser labkey sudo && echo "labkey ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/labkey; \ + [ -z "${DEBUG}" ] && chmod u-s /usr/bin/su /usr/bin/mount /usr/bin/chfn /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/umount /usr/bin/chsh /usr/bin/passwd; \ + [ -z "${DEBUG}" ] && chmod g-s /usr/bin/expiry /usr/bin/chage /usr/bin/wall /usr/sbin/pam_extrausers_chkpwd /usr/sbin/unix_chkpwd; \ + [ -z "${DEBUG}" ] && rm -rfv /var/lib/apt/lists; \ fi; \ \ mkdir -pv \ @@ -252,7 +261,7 @@ EXPOSE ${LABKEY_PORT} STOPSIGNAL SIGTERM # defang -RUN find / -xdev -perm /6000 -type f -exec chmod a-s {} \; || true +RUN [ -z "${DEBUG}" ] && find / -xdev -perm /6000 -type f -exec chmod a-s {} \; || true USER labkey From da22a5a292e5b291b08a0c220df1dcf74fec9e2b Mon Sep 17 00:00:00 2001 From: labkey-willm Date: Thu, 16 Nov 2023 14:02:55 -0800 Subject: [PATCH 2/3] hadolint fix --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 052e9c7..41d4497 100644 --- a/Dockerfile +++ b/Dockerfile @@ -261,7 +261,7 @@ EXPOSE ${LABKEY_PORT} STOPSIGNAL SIGTERM # defang -RUN [ -z "${DEBUG}" ] && find / -xdev -perm /6000 -type f -exec chmod a-s {} \; || true +RUN [ -z "${DEBUG}" ] && (find / -xdev -perm /6000 -type f -exec chmod a-s {} \; || true) USER labkey From 10293e22e86cf200f2a91f6ecf2979de29c52266 Mon Sep 17 00:00:00 2001 From: labkey-willm Date: Thu, 16 Nov 2023 14:07:57 -0800 Subject: [PATCH 3/3] ignore dockle warning about sudo --- .github/workflows/dockle_xeol.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dockle_xeol.yml b/.github/workflows/dockle_xeol.yml index 6d1e23a..2a8566b 100644 --- a/.github/workflows/dockle_xeol.yml +++ b/.github/workflows/dockle_xeol.yml @@ -28,7 +28,7 @@ jobs: format: 'list' exit-code: '1' exit-level: 'warn' - ignore: 'CIS-DI-0005,CIS-DI-0009,CIS-DI-0010' + ignore: 'CIS-DI-0005,CIS-DI-0009,CIS-DI-0010,DKL-DI-0001' - name: Run xeol on helloworld image uses: noqcks/xeol-action@v1.0.6 with: