From 806ad4898c395e8580be8fb9658f387991daae0f Mon Sep 17 00:00:00 2001
From: Julia <90114526+juliatilde@users.noreply.github.com>
Date: Sun, 5 Sep 2021 16:53:34 +0200
Subject: [PATCH] Update Dockerfile (#618)

Running programs as root that don't require it is a big security risk. Docker is only containerization and not virtualization.
Instead of using the user "nobody" a custom user may be created, but as shadowsocks-rust only uses networking and only reads the config file I see it as unnecessary.
If the server is intended to bind on a privileged port (<1024) Docker's port mapping may be used or a program such as nftables or setcap may be used.
---
 Dockerfile | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index aa1eed7e..9511c775 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -39,6 +39,8 @@ COPY --from=build /root/shadowsocks-rust/target/release/sslocal /usr/bin
 
 COPY --from=build /root/shadowsocks-rust/examples/config.json /etc/shadowsocks-rust/
 
+USER nobody
+
 ENTRYPOINT [ "sslocal", "--log-without-time", "-c", "/etc/shadowsocks-rust/config.json" ]
 
 FROM alpine:3.14 AS ssserver
@@ -47,4 +49,6 @@ COPY --from=build /root/shadowsocks-rust/target/release/ssserver /usr/bin
 
 COPY --from=build /root/shadowsocks-rust/examples/config.json /etc/shadowsocks-rust/
 
+USER nobody
+
 ENTRYPOINT [ "ssserver", "--log-without-time", "-c", "/etc/shadowsocks-rust/config.json" ]