Run container with a non-root user

It's one way to mitigate the CVE-2019-5736 Signed-off-by: hyunuktak <[email protected]>
project-chip · Aug 11, 2021 · 469be51 · 469be51
1 parent 3bc3620
commit 469be51
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/integrations/docker/images/chip-build-tizen/Dockerfile b/integrations/docker/images/chip-build-tizen/Dockerfile
@@ -1,6 +1,18 @@
 ARG VERSION=latest
 FROM connectedhomeip/chip-build:${VERSION}
 
+# ------------------------------------------------------------------------------
+# Add group/user for tizen
+ARG USER_NAME=tizen
+ARG USER_UID=1000
+ARG USER_GID=$USER_UID
+ENV USER_HOME /home/$USER_NAME
+
+RUN set -x \
+    && groupadd -g $USER_GID $USER_NAME \
+    && useradd -m $USER_NAME -s /bin/bash -u $USER_UID -g $USER_GID -G sudo -l \
+    && : # last line
+
 # ------------------------------------------------------------------------------
 # Install toolchain
 RUN set -x \
@@ -72,3 +84,8 @@ RUN set -x \
     && rm -rf data \
     && rm cross-arm-gcc-9.2_0.1.9_ubuntu-64.zip \
     && : # last line
+
+# ------------------------------------------------------------------------------
+# Switch to the non-root user
+USER $USER_NAME
+WORKDIR $USER_HOME