paulmataruso/wazuh-docker-orginal
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-docker.git synced 2025-10-25 00:53:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

rollback uid and gid for Wazuh indexer and dashboard owner

Browse Source
This commit is contained in:
vcerenu
2024-03-11 10:05:53 -03:00
parent b4af946000
commit 387727d496
4 changed files with 28 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
build-docker-images/wazuh-dashboard/Dockerfile
View File

@@ -84,9 +84,9 @@ ENV PATTERN="" \
RUN yum install shadow-utils -y
# Create wazuh-dashboard user and group
RUN getent group $GROUP || groupadd -r -g 999 $GROUP
RUN getent group $GROUP || groupadd -r -g 1000 $GROUP
RUN useradd --system \
--uid 999 \
--uid 1000 \
--no-create-home \
--home-dir $INSTALL_DIR \
--gid $GROUP \
@@ -99,14 +99,14 @@ COPY config/entrypoint.sh /
COPY config/wazuh_app_config.sh /
RUN chmod 700 /entrypoint.sh
RUN chmod 700 /wazuh_app_config.sh
RUN chown 999:999 /*.sh
RUN chown 1000:1000 /*.sh
# Copy Install dir from builder to current image
COPY --from=builder --chown=999:999 $INSTALL_DIR $INSTALL_DIR
COPY --from=builder --chown=1000:1000 $INSTALL_DIR $INSTALL_DIR
# Create custom directory
RUN mkdir -p /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
RUN chown 999:999 /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
RUN chown 1000:1000 /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
# Set workdir and user
WORKDIR $INSTALL_DIR

18
build-docker-images/wazuh-indexer/Dockerfile
View File

@@ -38,10 +38,10 @@ ENV USER="wazuh-indexer" \
RUN yum install curl-minimal shadow-utils findutils hostname -y
RUN getent group $GROUP || groupadd -r -g 999 $GROUP
RUN getent group $GROUP || groupadd -r -g 1000 $GROUP
RUN useradd --system \
--uid 999 \
--uid 1000 \
--no-create-home \
--home-dir $INSTALL_DIR \
--gid $GROUP \
@@ -57,19 +57,19 @@ COPY config/securityadmin.sh /
RUN chmod 700 /entrypoint.sh && chmod 700 /securityadmin.sh
RUN chown 999:999 /*.sh
RUN chown 1000:1000 /*.sh
COPY --from=builder --chown=999:999 /debian/wazuh-indexer/usr/share/wazuh-indexer /usr/share/wazuh-indexer
COPY --from=builder --chown=1000:1000 /debian/wazuh-indexer/usr/share/wazuh-indexer /usr/share/wazuh-indexer
COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/systemd /usr/lib/systemd
COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/sysctl.d /usr/lib/sysctl.d
COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/tmpfiles.d /usr/lib/tmpfiles.d
RUN chown -R 999:999 /usr/share/wazuh-indexer
RUN chown -R 1000:1000 /usr/share/wazuh-indexer
RUN mkdir -p /var/lib/wazuh-indexer && chown 999:999 /var/lib/wazuh-indexer && \
mkdir -p /usr/share/wazuh-indexer/logs && chown 999:999 /usr/share/wazuh-indexer/logs && \
mkdir -p /run/wazuh-indexer && chown 999:999 /run/wazuh-indexer && \
mkdir -p /var/log/wazuh-indexer && chown 999:999 /var/log/wazuh-indexer && \
RUN mkdir -p /var/lib/wazuh-indexer && chown 1000:1000 /var/lib/wazuh-indexer && \
mkdir -p /usr/share/wazuh-indexer/logs && chown 1000:1000 /usr/share/wazuh-indexer/logs && \
mkdir -p /run/wazuh-indexer && chown 1000:1000 /run/wazuh-indexer && \
mkdir -p /var/log/wazuh-indexer && chown 1000:1000 /var/log/wazuh-indexer && \
chmod 700 /usr/share/wazuh-indexer && \
chmod 600 /usr/share/wazuh-indexer/jvm.options && \
chmod 600 /usr/share/wazuh-indexer/opensearch.yml

4
build-docker-images/wazuh-indexer/config/entrypoint.sh
View File

@@ -34,7 +34,7 @@ if [[ "$1" != "opensearchwrapper" ]]; then
# `bin/opensearch -E x.y=z` would not work.
set -- "opensearch" "${@:2}"
# Use chroot to switch to UID 1000 / GID 0
exec chroot --userspec=999:0 / "$@"
exec chroot --userspec=1000:0 / "$@"
else
# User probably wants to run something else, like /bin/bash, with another uid forced (Openshift?)
exec "$@"
@@ -79,7 +79,7 @@ fi
if [[ "$(id -u)" == "0" ]]; then
# If requested and running as root, mutate the ownership of bind-mounts
if [[ -n "$TAKE_FILE_OWNERSHIP" ]]; then
chown -R 999:0 /usr/share/wazuh-indexer/{data,logs}
chown -R 1000:0 /usr/share/wazuh-indexer/{data,logs}
fi
fi

13
indexer-certs-creator/config/entrypoint.sh
View File

@@ -47,5 +47,16 @@ echo "Changing certificate permissions"
chmod -R 500 /certificates
chmod -R 400 /certificates/*
echo "Setting UID indexer and dashboard"
chown 999:999 /certificates/*
chown 1000:1000 /certificates/*
echo "Setting UID for wazuh manager and worker"
cp /certificates/root-ca.pem /certificates/root-ca-manager.pem
cp /certificates/root-ca.key /certificates/root-ca-manager.key
chown 999:999 /certificates/root-ca-manager.pem
chown 999:999 /certificates/root-ca-manager.key
for i in ${node_names[@]};
do
chown 999:999 "/certificates/${i}.pem"
chown 999:999 "/certificates/${i}-key.pem"
done