Skip to content

fix: non-root user support in Dockerfile #45

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
solimander merged 3 commits into from
Dec 2, 2025
Merged

fix: non-root user support in Dockerfile #45

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
303db41
feat: defer privilege dropping to entrypoint for TEE initialization
solimander Dec 2, 2025
909c175
feat: standardize ORIGINAL_USER environment variable with __EIGENX_ p…
solimander Dec 2, 2025
98f797f
fix privilege dropping to preserve command arguments correctly
solimander Dec 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions internal/templates/docker/Dockerfile.layered.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,8 @@ RUN chmod 755 /usr/local/bin/compute-source-env.sh \
&& chmod 755 /usr/local/bin/caddy{{- end}} \
&& chmod 644 /usr/local/bin/kms-signing-public-key.pem

# Switch back to the original user from base image
USER {{.OriginalUser}}
# Store original user - entrypoint will drop privileges to this user after TEE setup
ENV __EIGENX_ORIGINAL_USER={{.OriginalUser}}
{{- else}}
# Make binaries executable (preserve existing permissions, just add execute)
RUN chmod +x /usr/local/bin/compute-source-env.sh \
Expand Down
7 changes: 7 additions & 0 deletions internal/templates/scripts/compute-source-env.sh.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,4 +107,11 @@ setup_tls() {
setup_tls

echo "compute-source-env.sh: Environment sourced."

# Drop privileges to original user for the application command
if [ -n "$__EIGENX_ORIGINAL_USER" ] && [ "$(id -u)" = "0" ]; then
echo "compute-source-env.sh: Dropping privileges to user: $__EIGENX_ORIGINAL_USER"
exec su -s /bin/sh "$__EIGENX_ORIGINAL_USER" -c 'exec "$@"' -- sh "$@"
fi

exec "$@"
3 changes: 2 additions & 1 deletion pkg/hooks/hooks.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -244,7 +244,8 @@ var versionCheckChannel = make(chan *common.UpdateInfo, 1)
// InitVersionCheck starts an async version check for prod builds
func InitVersionCheck(cCtx *cli.Context) {
// Skip for non-prod builds or specific commands
if common.Build != "prod" || cCtx.Command.Name == "upgrade" || cCtx.Command.Name == "version" || cCtx.Command.Name == "help" {
subcommand := cCtx.Args().First()
if common.Build != "prod" || subcommand == "upgrade" || subcommand == "version" || subcommand == "help" {
return
}

Expand Down