feat: enable running as non-root user (#13887)

2025-12-10 21:33:27 +00:00 · 2025-05-30 10:30:08 -07:00
parent 874fe0fd1e
commit 4e112e2daa
1 changed files with 22 additions and 13 deletions
--- a/apps/web/entrypoint.sh
+++ b/apps/web/entrypoint.sh
@@ -19,20 +19,29 @@ then
    LGID=65534
 fi
-# Create user and group
+if [ "$(id -u)" = "0" ]; then
    # Create user and group
-groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
+    groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
-groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
+    groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
-useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
+    useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
-usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
+    usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
-mkhomedir_helper $USERNAME
+    mkhomedir_helper $USERNAME
-# The rest...
+    # The rest...
-chown -R $USERNAME:$GROUPNAME /etc/bitwarden
+    chown -R $USERNAME:$GROUPNAME /etc/bitwarden
-cp /etc/bitwarden/web/app-id.json /app/app-id.json
+    chown -R $USERNAME:$GROUPNAME /app
-chown -R $USERNAME:$GROUPNAME /app
+    chown -R $USERNAME:$GROUPNAME /bitwarden_server
 chown -R $USERNAME:$GROUPNAME /bitwarden_server
-exec gosu $USERNAME:$GROUPNAME dotnet /bitwarden_server/Server.dll \
+    gosu_cmd="gosu $USERNAME:$GROUPNAME"
-    /contentRoot=/app /webRoot=. /serveUnknown=false /webVault=true
+else
    gosu_cmd=""
 fi
 exec $gosu_cmd /bitwarden_server/Server \
    /contentRoot=/app \
    /webRoot=. \
    /serveUnknown=false \
    /webVault=true \
    /appIdLocation=/etc/bitwarden/web/app-id.json