[PM-14496] Support running containers as non-root user

bitwarden_license/src/Scim/entrypoint.sh

@@ -19,31 +19,41 @@ then
     LGID=65534
 fi
 
-# Create user and group
-
-groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
-groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
-useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
-usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
-mkhomedir_helper $USERNAME
-
-# The rest...
-
-chown -R $USERNAME:$GROUPNAME /app
-mkdir -p /etc/bitwarden/core
-mkdir -p /etc/bitwarden/logs
-mkdir -p /etc/bitwarden/ca-certificates
-chown -R $USERNAME:$GROUPNAME /etc/bitwarden
-
-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
+if [ "$(id -u)" = "0" ]
+then
+    # Create user and group
+
+    groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
+    groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
+    useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
+    usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
+    mkhomedir_helper $USERNAME
+
+    # The rest...
+
+    chown -R $USERNAME:$GROUPNAME /app
+    mkdir -p /etc/bitwarden/core
+    mkdir -p /etc/bitwarden/logs
+    mkdir -p /etc/bitwarden/ca-certificates
+    chown -R $USERNAME:$GROUPNAME /etc/bitwarden
+
+    if [[ $globalSettings__selfHosted == "true" ]]; then
+      cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+        && update-ca-certificates
+    fi
+
+    if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
+      chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
+    fi
+
+    gosu_cmd="gosu $USERNAME:$GROUPNAME"
+else
+    gosu_cmd=""
 fi
 
 if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
-  chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
-  cp -f /etc/bitwarden/kerberos/krb5.conf /etc/krb5.conf
-  gosu $USERNAME:$GROUPNAME kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
+    cp -f /etc/bitwarden/kerberos/krb5.conf /etc/krb5.conf
+    $gosu_cmd kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
 fi
 
-exec gosu $USERNAME:$GROUPNAME dotnet /app/Scim.dll
+exec $gosu_cmd dotnet /app/Scim.dll

bitwarden_license/src/Sso/entrypoint.sh

@@ -19,37 +19,47 @@ then
     LGID=65534
 fi
 
-# Create user and group
+if [ "$(id -u)" = "0" ]
+then
+    # Create user and group
 
-groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
-groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
-useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
-usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
-mkhomedir_helper $USERNAME
+    groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
+    groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
+    useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
+    usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
+    mkhomedir_helper $USERNAME
 
-# The rest...
+    # The rest...
 
-mkdir -p /etc/bitwarden/identity
-mkdir -p /etc/bitwarden/core
-mkdir -p /etc/bitwarden/logs
-mkdir -p /etc/bitwarden/ca-certificates
-chown -R $USERNAME:$GROUPNAME /etc/bitwarden
+    mkdir -p /etc/bitwarden/identity
+    mkdir -p /etc/bitwarden/core
+    mkdir -p /etc/bitwarden/logs
+    mkdir -p /etc/bitwarden/ca-certificates
+    chown -R $USERNAME:$GROUPNAME /etc/bitwarden
 
-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/identity/identity.pfx /app/identity.pfx
-fi
+    chown -R $USERNAME:$GROUPNAME /app
 
-chown -R $USERNAME:$GROUPNAME /app
+    if [[ $globalSettings__selfHosted == "true" ]]; then
+      cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+        && update-ca-certificates
+    fi
+
+    if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
+      chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
+    fi
+
+    gosu_cmd="gosu $USERNAME:$GROUPNAME"
+else
+    gosu_cmd=""
+fi
 
 if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
+    cp /etc/bitwarden/identity/identity.pfx /app/identity.pfx
 fi
 
 if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
-  chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
-  cp -f /etc/bitwarden/kerberos/krb5.conf /etc/krb5.conf
-  gosu $USERNAME:$GROUPNAME kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
+    cp -f /etc/bitwarden/kerberos/krb5.conf /etc/krb5.conf
+    $gosu_cmd kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
 fi
 
-exec gosu $USERNAME:$GROUPNAME dotnet /app/Sso.dll
+exec $gosu_cmd dotnet /app/Sso.dll

src/Admin/entrypoint.sh

@@ -19,31 +19,41 @@ then
     LGID=65534
 fi
 
-# Create user and group
-
-groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
-groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
-useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
-usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
-mkhomedir_helper $USERNAME
-
-# The rest...
-
-chown -R $USERNAME:$GROUPNAME /app
-mkdir -p /etc/bitwarden/core
-mkdir -p /etc/bitwarden/logs
-mkdir -p /etc/bitwarden/ca-certificates
-chown -R $USERNAME:$GROUPNAME /etc/bitwarden
-
-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
+if [ "$(id -u)" = "0" ]
+then
+    # Create user and group
+
+    groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
+    groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
+    useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
+    usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
+    mkhomedir_helper $USERNAME
+
+    # The rest...
+
+    chown -R $USERNAME:$GROUPNAME /app
+    mkdir -p /etc/bitwarden/core
+    mkdir -p /etc/bitwarden/logs
+    mkdir -p /etc/bitwarden/ca-certificates
+    chown -R $USERNAME:$GROUPNAME /etc/bitwarden
+
+    if [[ $globalSettings__selfHosted == "true" ]]; then
+      cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+        && update-ca-certificates
+    fi
+
+    if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
+      chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
+    fi
+
+    gosu_cmd="gosu $USERNAME:$GROUPNAME"
+else
+    gosu_cmd=""
 fi
 
 if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
-  chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
-  cp -f /etc/bitwarden/kerberos/krb5.conf /etc/krb5.conf
-  gosu $USERNAME:$GROUPNAME kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
+    cp -f /etc/bitwarden/kerberos/krb5.conf /etc/krb5.conf
+    $gosu_cmd kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
 fi
 
-exec gosu $USERNAME:$GROUPNAME dotnet /app/Admin.dll
+exec $gosu_cmd dotnet /app/Admin.dll

src/Api/entrypoint.sh

@@ -19,31 +19,41 @@ then
     LGID=65534
 fi
 
-# Create user and group
-
-groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
-groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
-useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
-usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
-mkhomedir_helper $USERNAME
-
-# The rest...
-
-chown -R $USERNAME:$GROUPNAME /app
-mkdir -p /etc/bitwarden/core
-mkdir -p /etc/bitwarden/logs
-mkdir -p /etc/bitwarden/ca-certificates
-chown -R $USERNAME:$GROUPNAME /etc/bitwarden
-
-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
+if [ "$(id -u)" = "0" ]
+then
+    # Create user and group
+
+    groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
+    groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
+    useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
+    usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
+    mkhomedir_helper $USERNAME
+
+    # The rest...
+
+    chown -R $USERNAME:$GROUPNAME /app
+    mkdir -p /etc/bitwarden/core
+    mkdir -p /etc/bitwarden/logs
+    mkdir -p /etc/bitwarden/ca-certificates
+    chown -R $USERNAME:$GROUPNAME /etc/bitwarden
+
+    if [[ $globalSettings__selfHosted == "true" ]]; then
+      cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+        && update-ca-certificates
+    fi
+
+    if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
+      chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
+    fi
+
+    gosu_cmd="gosu $USERNAME:$GROUPNAME"
+else
+    gosu_cmd=""
 fi
 
 if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
-  chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
-  cp -f /etc/bitwarden/kerberos/krb5.conf /etc/krb5.conf
-  gosu $USERNAME:$GROUPNAME kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
+    cp -f /etc/bitwarden/kerberos/krb5.conf /etc/krb5.conf
+    $gosu_cmd kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
 fi
 
-exec gosu $USERNAME:$GROUPNAME dotnet /app/Api.dll
+exec $gosu_cmd dotnet /app/Api.dll

src/Core/Settings/GlobalSettings.cs

@@ -107,7 +107,7 @@
         {
             return null;
         }
         return string.Format("http://{0}:5000", name);
     }
 
     public string BuildDirectory(string explicitValue, string appendedPath)
@@ -337,6 +337,7 @@
 
     public class IdentityServerSettings
     {
+        public string CertificateLocation { get; set; } = "identity.pfx";
         public string CertificateThumbprint { get; set; }
         public string CertificatePassword { get; set; }
         public string RedisConnectionString { get; set; }

src/Core/Utilities/CoreHelpers.cs

@@ -29,7 +29,7 @@
     private static readonly long _baseDateTicks = new DateTime(1900, 1, 1).Ticks;
     private static readonly DateTime _epoc = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc);
     private static readonly DateTime _max = new DateTime(9999, 1, 1, 0, 0, 0, DateTimeKind.Utc);
     private static readonly Random _random = new Random();
     private static readonly string RealConnectingIp = "X-Connecting-IP";
     private static readonly Regex _whiteSpaceRegex = new Regex(@"\s+");
     private static readonly JsonSerializerOptions _jsonSerializerOptions = new()
@@ -656,9 +656,9 @@
     {
         if (globalSettings.SelfHosted &&
             SettingHasValue(globalSettings.IdentityServer.CertificatePassword)
-            && File.Exists("identity.pfx"))
+            && File.Exists(globalSettings.IdentityServer.CertificateLocation))
         {
-            return GetCertificate("identity.pfx",
+            return GetCertificate(globalSettings.IdentityServer.CertificateLocation,
                 globalSettings.IdentityServer.CertificatePassword);
         }
         else if (SettingHasValue(globalSettings.IdentityServer.CertificateThumbprint))

src/Events/entrypoint.sh

@@ -19,31 +19,41 @@ then
     LGID=65534
 fi
 
-# Create user and group
-
-groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
-groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
-useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
-usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
-mkhomedir_helper $USERNAME
-
-# The rest...
-
-chown -R $USERNAME:$GROUPNAME /app
-mkdir -p /etc/bitwarden/core
-mkdir -p /etc/bitwarden/logs
-mkdir -p /etc/bitwarden/ca-certificates
-chown -R $USERNAME:$GROUPNAME /etc/bitwarden
-
-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
+if [ "$(id -u)" = "0" ]
+then
+    # Create user and group
+
+    groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
+    groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
+    useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
+    usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
+    mkhomedir_helper $USERNAME
+
+    # The rest...
+
+    chown -R $USERNAME:$GROUPNAME /app
+    mkdir -p /etc/bitwarden/core
+    mkdir -p /etc/bitwarden/logs
+    mkdir -p /etc/bitwarden/ca-certificates
+    chown -R $USERNAME:$GROUPNAME /etc/bitwarden
+
+    if [[ $globalSettings__selfHosted == "true" ]]; then
+        cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+            && update-ca-certificates
+    fi
+
+    if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
+        chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
+    fi
+
+    gosu_cmd="gosu $USERNAME:$GROUPNAME"
+else
+    gosu_cmd=""
 fi
 
 if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
-  chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
   cp -f /etc/bitwarden/kerberos/krb5.conf /etc/krb5.conf
-  gosu $USERNAME:$GROUPNAME kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
+  $gosu_cmd kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
 fi
 
-exec gosu $USERNAME:$GROUPNAME dotnet /app/Events.dll
+exec $gosu_cmd dotnet /app/Events.dll

src/Icons/entrypoint.sh

@@ -19,24 +19,30 @@ then
     LGID=65534
 fi
 
-# Create user and group
-
-groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
-groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
-useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
-usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
-mkhomedir_helper $USERNAME
-
-# The rest...
-
-chown -R $USERNAME:$GROUPNAME /app
-mkdir -p /etc/bitwarden/logs
-mkdir -p /etc/bitwarden/ca-certificates
-chown -R $USERNAME:$GROUPNAME /etc/bitwarden
-
-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
+if [ "$(id -u)" = "0" ]
+then
+    # Create user and group
+
+    groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
+    groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
+    useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
+    usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
+    mkhomedir_helper $USERNAME
+
+    # The rest...
+
+    chown -R $USERNAME:$GROUPNAME /app
+    mkdir -p /etc/bitwarden/logs
+    mkdir -p /etc/bitwarden/ca-certificates
+    chown -R $USERNAME:$GROUPNAME /etc/bitwarden
+
+    if [[ $globalSettings__selfHosted == "true" ]]; then
+    cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+        && update-ca-certificates
+    fi
+    gosu_cmd="gosu $USERNAME:$GROUPNAME"
+else
+    gosu_cmd=""
 fi
 
-exec gosu $USERNAME:$GROUPNAME dotnet /app/Icons.dll
+exec $gosu_cmd dotnet /app/Icons.dll