Run bitwarden-rs as non-root user

Updated the Dockerfiles to switch to UID 999 before running. Because
non-root users cannot bind to ports below 1024, I also updated the
ROCKET_PORT to 8080.

README.md

@@ -35,9 +35,10 @@ Pull the docker image and mount a volume from the host for persistent storage:
 
 ```sh
 docker pull bitwardenrs/server:latest
-docker run -d --name bitwarden -v /bw-data/:/data/ -p 80:80 bitwardenrs/server:latest
+docker run -d --name bitwarden -v /bw-data/:/data/ -p 8080:80 bitwardenrs/server:latest
 ```
 This will preserve any persistent data under /bw-data/, you can adapt the path to whatever suits you.
+By default the container will run with `UID=999`, you may want to add `-u some_user` to the run command above, as well as make sure that user has read/write access to `/data`.
 
 **IMPORTANT**: Some web browsers, like Chrome, disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault from HTTPS. 
 

docker/Dockerfile.j2

@@ -222,7 +222,7 @@ RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabih
 FROM {{ runtime_stage_base_image }}
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 {% if "alpine" in runtime_stage_base_image %}
 ENV SSL_CERT_DIR=/etc/ssl/certs
@@ -268,8 +268,9 @@ RUN [ "cross-build-end" ]
 
 {% endif %}
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage

docker/aarch64/mysql/Dockerfile

@@ -96,7 +96,7 @@ RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
 FROM balenalib/aarch64-debian:buster
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 
 RUN [ "cross-build-start" ]
@@ -115,8 +115,9 @@ RUN mkdir /data
 RUN [ "cross-build-end" ]
 
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage

docker/aarch64/sqlite/Dockerfile

@@ -90,7 +90,7 @@ RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
 FROM balenalib/aarch64-debian:buster
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 
 RUN [ "cross-build-start" ]
@@ -109,8 +109,9 @@ RUN mkdir /data
 RUN [ "cross-build-end" ]
 
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage

docker/amd64/mysql/Dockerfile

@@ -69,7 +69,7 @@ RUN cargo build --features ${DB} --release
 FROM debian:buster-slim
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 
 # Install needed libraries
@@ -83,8 +83,9 @@ RUN apt-get update && apt-get install -y \
 
 RUN mkdir /data
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage

docker/amd64/mysql/Dockerfile.alpine

@@ -73,7 +73,7 @@ RUN cargo build --features ${DB} --release
 FROM alpine:3.11
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 ENV SSL_CERT_DIR=/etc/ssl/certs
 
@@ -86,8 +86,9 @@ RUN apk add --no-cache \
 
 RUN mkdir /data
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage

docker/amd64/postgresql/Dockerfile

@@ -69,7 +69,7 @@ RUN cargo build --features ${DB} --release
 FROM debian:buster-slim
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 
 # Install needed libraries
@@ -83,8 +83,9 @@ RUN apt-get update && apt-get install -y \
 
 RUN mkdir /data
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage

docker/amd64/postgresql/Dockerfile.alpine

@@ -73,7 +73,7 @@ RUN cargo build --features ${DB} --release
 FROM alpine:3.11
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 ENV SSL_CERT_DIR=/etc/ssl/certs
 
@@ -86,8 +86,9 @@ RUN apk add --no-cache \
 
 RUN mkdir /data
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage

docker/amd64/sqlite/Dockerfile

@@ -63,7 +63,7 @@ RUN cargo build --features ${DB} --release
 FROM debian:buster-slim
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 
 # Install needed libraries
@@ -77,8 +77,9 @@ RUN apt-get update && apt-get install -y \
 
 RUN mkdir /data
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage

docker/amd64/sqlite/Dockerfile.alpine

@@ -67,7 +67,7 @@ RUN cargo build --features ${DB} --release
 FROM alpine:3.11
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 ENV SSL_CERT_DIR=/etc/ssl/certs
 
@@ -80,8 +80,9 @@ RUN apk add --no-cache \
 
 RUN mkdir /data
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage

docker/armv6/mysql/Dockerfile

@@ -96,7 +96,7 @@ RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
 FROM balenalib/rpi-debian:buster
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 
 RUN [ "cross-build-start" ]
@@ -115,8 +115,9 @@ RUN mkdir /data
 RUN [ "cross-build-end" ]
 
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage

docker/armv6/sqlite/Dockerfile

@@ -90,7 +90,7 @@ RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
 FROM balenalib/rpi-debian:buster
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 
 RUN [ "cross-build-start" ]
@@ -109,8 +109,9 @@ RUN mkdir /data
 RUN [ "cross-build-end" ]
 
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage

docker/armv7/mysql/Dockerfile

@@ -95,7 +95,7 @@ RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabih
 FROM balenalib/armv7hf-debian:buster
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 
 RUN [ "cross-build-start" ]
@@ -114,8 +114,9 @@ RUN mkdir /data
 RUN [ "cross-build-end" ]
 
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage

docker/armv7/sqlite/Dockerfile

@@ -89,7 +89,7 @@ RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabih
 FROM balenalib/armv7hf-debian:buster
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 
 RUN [ "cross-build-start" ]
@@ -108,8 +108,9 @@ RUN mkdir /data
 RUN [ "cross-build-end" ]
 
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage

docker/healthcheck.sh

@@ -3,7 +3,7 @@
 # Use the value of the corresponding env var (if present),
 # or a default value otherwise.
 : ${DATA_FOLDER:="data"}
-: ${ROCKET_PORT:="80"}
+: ${ROCKET_PORT:="8080"}
 
 CONFIG_FILE="${DATA_FOLDER}"/config.json