security: minimize permission of sandbox user

liqiang-fit2cloud · liqiang-fit2cloud · commit 89d17adc05b1 · 2024-12-17T11:56:21.000+08:00
diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml
@@ -7,7 +7,7 @@ on:
     inputs:
       dockerImageTag:
         description: 'Docker Image Tag'
-        default: 'v1.6.0-dev'
+        default: 'v1.9.0-dev'
         required: true
       architecture:
         description: 'Architecture'
diff --git a/installer/Dockerfile b/installer/Dockerfile
@@ -60,13 +60,14 @@ RUN chmod 755 /opt/maxkb/app/installer/run-maxkb.sh && \
     cp -r /opt/maxkb/model/base/hub /opt/maxkb/model/tokenizer && \
     cp -f /opt/maxkb/app/installer/run-maxkb.sh /usr/bin/run-maxkb.sh && \
     cp -f /opt/maxkb/app/installer/init.sql /docker-entrypoint-initdb.d && \
+    curl -L --connect-timeout 120 -m 1800 https://resource.fit2cloud.com/maxkb/ffmpeg/get-ffmpeg-linux | sh && \
     mkdir -p /opt/maxkb/app/sandbox/python-packages &&  \
     find /opt/maxkb/app -mindepth 1 -not -name 'sandbox' -exec chmod 700 {} + && \
-    chmod 755 /tmp  && \
-    useradd --no-create-home --home /opt/maxkb/app/sandbox --shell /bin/bash sandbox &&  \
-    chown sandbox:sandbox /opt/maxkb/app/sandbox && \
-    curl -L --connect-timeout 120 -m 1800 https://resource.fit2cloud.com/maxkb/ffmpeg/get-ffmpeg-linux | sh
-
+    chmod 755 /tmp && \
+    useradd --no-create-home --home /opt/maxkb/app/sandbox sandbox -g root && \
+    chown -R sandbox:root /opt/maxkb/app/sandbox && \
+    chmod g-x /usr/local/bin/* /usr/bin/* /bin/* /usr/sbin/* /sbin/* /usr/lib/postgresql/15/bin/* && \
+    chmod g+x /usr/local/bin/python* /bin/sh
 
 EXPOSE 8080
 
