From 514ecea36b73e81b1674a621907b6dad3354a881 Mon Sep 17 00:00:00 2001
From: Cameron Cordes <cameronc.dev@gmail.com>
Date: Mon, 1 Jun 2020 21:37:40 -0400
Subject: [PATCH] Run bitwarden-rs as non-root user

Updated the Dockerfiles to switch to UID 999 before running. Because
non-root users cannot bind to ports below 1024, I also updated the
ROCKET_PORT to 8080.
---
 README.md                                 | 3 ++-
 docker/Dockerfile.j2                      | 5 +++--
 docker/aarch64/mysql/Dockerfile           | 5 +++--
 docker/aarch64/sqlite/Dockerfile          | 5 +++--
 docker/amd64/mysql/Dockerfile             | 5 +++--
 docker/amd64/mysql/Dockerfile.alpine      | 5 +++--
 docker/amd64/postgresql/Dockerfile        | 5 +++--
 docker/amd64/postgresql/Dockerfile.alpine | 5 +++--
 docker/amd64/sqlite/Dockerfile            | 5 +++--
 docker/amd64/sqlite/Dockerfile.alpine     | 5 +++--
 docker/armv6/mysql/Dockerfile             | 5 +++--
 docker/armv6/sqlite/Dockerfile            | 5 +++--
 docker/armv7/mysql/Dockerfile             | 5 +++--
 docker/armv7/sqlite/Dockerfile            | 5 +++--
 docker/healthcheck.sh                     | 2 +-
 15 files changed, 42 insertions(+), 28 deletions(-)

diff --git a/README.md b/README.md
index 01f62c9e..d2a256c2 100644
--- a/README.md
+++ b/README.md
@@ -35,9 +35,10 @@ Pull the docker image and mount a volume from the host for persistent storage:
 
 ```sh
 docker pull bitwardenrs/server:latest
-docker run -d --name bitwarden -v /bw-data/:/data/ -p 80:80 bitwardenrs/server:latest
+docker run -d --name bitwarden -v /bw-data/:/data/ -p 8080:80 bitwardenrs/server:latest
 ```
 This will preserve any persistent data under /bw-data/, you can adapt the path to whatever suits you.
+By default the container will run with `UID=999`, you may want to add `-u some_user` to the run command above, as well as make sure that user has read/write access to `/data`.
 
 **IMPORTANT**: Some web browsers, like Chrome, disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault from HTTPS. 
 
diff --git a/docker/Dockerfile.j2 b/docker/Dockerfile.j2
index 51a2689f..16e64817 100644
--- a/docker/Dockerfile.j2
+++ b/docker/Dockerfile.j2
@@ -222,7 +222,7 @@ RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabih
 FROM {{ runtime_stage_base_image }}
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 {% if "alpine" in runtime_stage_base_image %}
 ENV SSL_CERT_DIR=/etc/ssl/certs
@@ -268,8 +268,9 @@ RUN [ "cross-build-end" ]
 
 {% endif %}
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
diff --git a/docker/aarch64/mysql/Dockerfile b/docker/aarch64/mysql/Dockerfile
index 2c2ceca5..0d4426f1 100644
--- a/docker/aarch64/mysql/Dockerfile
+++ b/docker/aarch64/mysql/Dockerfile
@@ -96,7 +96,7 @@ RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
 FROM balenalib/aarch64-debian:buster
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 
 RUN [ "cross-build-start" ]
@@ -115,8 +115,9 @@ RUN mkdir /data
 RUN [ "cross-build-end" ]
 
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
diff --git a/docker/aarch64/sqlite/Dockerfile b/docker/aarch64/sqlite/Dockerfile
index b6121ff1..39fd314f 100644
--- a/docker/aarch64/sqlite/Dockerfile
+++ b/docker/aarch64/sqlite/Dockerfile
@@ -90,7 +90,7 @@ RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
 FROM balenalib/aarch64-debian:buster
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 
 RUN [ "cross-build-start" ]
@@ -109,8 +109,9 @@ RUN mkdir /data
 RUN [ "cross-build-end" ]
 
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
diff --git a/docker/amd64/mysql/Dockerfile b/docker/amd64/mysql/Dockerfile
index 288fe325..6e7c4d52 100644
--- a/docker/amd64/mysql/Dockerfile
+++ b/docker/amd64/mysql/Dockerfile
@@ -69,7 +69,7 @@ RUN cargo build --features ${DB} --release
 FROM debian:buster-slim
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 
 # Install needed libraries
@@ -83,8 +83,9 @@ RUN apt-get update && apt-get install -y \
 
 RUN mkdir /data
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
diff --git a/docker/amd64/mysql/Dockerfile.alpine b/docker/amd64/mysql/Dockerfile.alpine
index df1f054a..b5140840 100644
--- a/docker/amd64/mysql/Dockerfile.alpine
+++ b/docker/amd64/mysql/Dockerfile.alpine
@@ -73,7 +73,7 @@ RUN cargo build --features ${DB} --release
 FROM alpine:3.11
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 ENV SSL_CERT_DIR=/etc/ssl/certs
 
@@ -86,8 +86,9 @@ RUN apk add --no-cache \
 
 RUN mkdir /data
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
diff --git a/docker/amd64/postgresql/Dockerfile b/docker/amd64/postgresql/Dockerfile
index d4d4e342..bb25b3f7 100644
--- a/docker/amd64/postgresql/Dockerfile
+++ b/docker/amd64/postgresql/Dockerfile
@@ -69,7 +69,7 @@ RUN cargo build --features ${DB} --release
 FROM debian:buster-slim
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 
 # Install needed libraries
@@ -83,8 +83,9 @@ RUN apt-get update && apt-get install -y \
 
 RUN mkdir /data
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
diff --git a/docker/amd64/postgresql/Dockerfile.alpine b/docker/amd64/postgresql/Dockerfile.alpine
index 81b62557..f12ac1c3 100644
--- a/docker/amd64/postgresql/Dockerfile.alpine
+++ b/docker/amd64/postgresql/Dockerfile.alpine
@@ -73,7 +73,7 @@ RUN cargo build --features ${DB} --release
 FROM alpine:3.11
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 ENV SSL_CERT_DIR=/etc/ssl/certs
 
@@ -86,8 +86,9 @@ RUN apk add --no-cache \
 
 RUN mkdir /data
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
diff --git a/docker/amd64/sqlite/Dockerfile b/docker/amd64/sqlite/Dockerfile
index a2b5a053..77fb42c0 100644
--- a/docker/amd64/sqlite/Dockerfile
+++ b/docker/amd64/sqlite/Dockerfile
@@ -63,7 +63,7 @@ RUN cargo build --features ${DB} --release
 FROM debian:buster-slim
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 
 # Install needed libraries
@@ -77,8 +77,9 @@ RUN apt-get update && apt-get install -y \
 
 RUN mkdir /data
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
diff --git a/docker/amd64/sqlite/Dockerfile.alpine b/docker/amd64/sqlite/Dockerfile.alpine
index 86015950..3c8a57d3 100644
--- a/docker/amd64/sqlite/Dockerfile.alpine
+++ b/docker/amd64/sqlite/Dockerfile.alpine
@@ -67,7 +67,7 @@ RUN cargo build --features ${DB} --release
 FROM alpine:3.11
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 ENV SSL_CERT_DIR=/etc/ssl/certs
 
@@ -80,8 +80,9 @@ RUN apk add --no-cache \
 
 RUN mkdir /data
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
diff --git a/docker/armv6/mysql/Dockerfile b/docker/armv6/mysql/Dockerfile
index c6503e22..6c5304b9 100644
--- a/docker/armv6/mysql/Dockerfile
+++ b/docker/armv6/mysql/Dockerfile
@@ -96,7 +96,7 @@ RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
 FROM balenalib/rpi-debian:buster
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 
 RUN [ "cross-build-start" ]
@@ -115,8 +115,9 @@ RUN mkdir /data
 RUN [ "cross-build-end" ]
 
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
diff --git a/docker/armv6/sqlite/Dockerfile b/docker/armv6/sqlite/Dockerfile
index ee4384d2..e4f303d7 100644
--- a/docker/armv6/sqlite/Dockerfile
+++ b/docker/armv6/sqlite/Dockerfile
@@ -90,7 +90,7 @@ RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
 FROM balenalib/rpi-debian:buster
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 
 RUN [ "cross-build-start" ]
@@ -109,8 +109,9 @@ RUN mkdir /data
 RUN [ "cross-build-end" ]
 
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
diff --git a/docker/armv7/mysql/Dockerfile b/docker/armv7/mysql/Dockerfile
index 3004f4fb..1219050d 100644
--- a/docker/armv7/mysql/Dockerfile
+++ b/docker/armv7/mysql/Dockerfile
@@ -95,7 +95,7 @@ RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabih
 FROM balenalib/armv7hf-debian:buster
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 
 RUN [ "cross-build-start" ]
@@ -114,8 +114,9 @@ RUN mkdir /data
 RUN [ "cross-build-end" ]
 
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
diff --git a/docker/armv7/sqlite/Dockerfile b/docker/armv7/sqlite/Dockerfile
index 981eac47..17e38ab1 100644
--- a/docker/armv7/sqlite/Dockerfile
+++ b/docker/armv7/sqlite/Dockerfile
@@ -89,7 +89,7 @@ RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabih
 FROM balenalib/armv7hf-debian:buster
 
 ENV ROCKET_ENV "staging"
-ENV ROCKET_PORT=80
+ENV ROCKET_PORT=8080
 ENV ROCKET_WORKERS=10
 
 RUN [ "cross-build-start" ]
@@ -108,8 +108,9 @@ RUN mkdir /data
 RUN [ "cross-build-end" ]
 
 VOLUME /data
-EXPOSE 80
+EXPOSE 8080
 EXPOSE 3012
+USER 999
 
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
diff --git a/docker/healthcheck.sh b/docker/healthcheck.sh
index 8f9fe982..dd120640 100755
--- a/docker/healthcheck.sh
+++ b/docker/healthcheck.sh
@@ -3,7 +3,7 @@
 # Use the value of the corresponding env var (if present),
 # or a default value otherwise.
 : ${DATA_FOLDER:="data"}
-: ${ROCKET_PORT:="80"}
+: ${ROCKET_PORT:="8080"}
 
 CONFIG_FILE="${DATA_FOLDER}"/config.json