Run pgAdmin in the container as a non-root user (pgadmin, UID: 5050). Fixes #4939.

2025-01-24 07:16:52 -06:00 · 2019-12-09 11:09:46 +05:30 · 2019-12-09 11:09:46 +05:30 · 619c4e1180
commit 619c4e1180
parent f44627c205
3 changed files with 19 additions and 4 deletions
--- a/15
+++ b/15
@ -160,7 +160,9 @@ RUN apk add --no-cache --virtual \
    apk add \
        postfix \
        postgresql-client \
-        postgresql-libs && \
+        postgresql-libs \
+        shadow \
+        libcap && \
    pip install --upgrade pip && \
    pip install --no-cache-dir -r requirements.txt && \
    pip install --no-cache-dir gunicorn==19.9.0 && \
@ -177,6 +179,17 @@ COPY pkg/docker/entrypoint.sh /entrypoint.sh
 # Precompile and optimize python code to save time and space on startup
 RUN python -O -m compileall -x node_modules /pgadmin4

+RUN groupadd -g 5050 pgadmin && \
+    useradd -r -u 5050 -g pgadmin pgadmin && \
+    mkdir -p /var/lib/pgadmin && \
+    chown pgadmin:pgadmin /var/lib/pgadmin && \
+    mkdir -p /var/log/pgadmin && \
+    chown pgadmin:pgadmin /var/log/pgadmin && \
+    touch /pgadmin4/config_distro.py && \
+    chown pgadmin:pgadmin /pgadmin4/config_distro.py && \
+    setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/python3.7
+USER pgadmin
+
 # Finish up
 VOLUME /var/lib/pgadmin
 EXPOSE 80 443
--- a/docs/en_US/release_notes_4_16.rst
+++ b/docs/en_US/release_notes_4_16.rst
@ -14,6 +14,7 @@ New features
 | `Issue #4711 <https://redmine.postgresql.org/issues/4711>`_ -  Use a 'play' icon for the Execute Query button in the Query Tool for greater consistency with other applications.
 | `Issue #4772 <https://redmine.postgresql.org/issues/4772>`_ -  Added aria-label to provide an invisible label where a visible label cannot be used.
 | `Issue #4773 <https://redmine.postgresql.org/issues/4773>`_ -  Added role="status" attribute to all the status messages for accessibility.
+| `Issue #4939 <https://redmine.postgresql.org/issues/4939>`_ -  Run pgAdmin in the container as a non-root user (pgadmin, UID: 5050)
 | `Issue #4944 <https://redmine.postgresql.org/issues/4944>`_ -  Allow Gunicorn logs in the container to be directed to a file specified through GUNICORN_ACCESS_LOGFILE.
 | `Issue #4990 <https://redmine.postgresql.org/issues/4990>`_ -  Changed the open query tool and data filter icons.

--- a/pkg/docker/entrypoint.sh
+++ b/pkg/docker/entrypoint.sh
@ -1,9 +1,10 @@
 #!/bin/sh

-# Create config_distro.py. This has some default config, as well as anything
+# Populate config_distro.py. This has some default config, as well as anything
 # provided by the user through the PGADMIN_CONFIG_* environment variables.
-# Only write the file on first launch.
-if [ ! -f /pgadmin4/config_distro.py ]; then
+# Only update the file on first launch. The empty file is created during the
+# container build so it can have the required ownership.
+if [ `wc -m /pgadmin4/config_distro.py | awk '{ print $1 }'` = "0" ]; then
    cat << EOF > /pgadmin4/config_distro.py
 HELP_PATH = '../../docs'
 DEFAULT_BINARY_PATHS = {