From 93e9fa0e0f6d9c311ab11d773c4440b07efbb624 Mon Sep 17 00:00:00 2001 From: yuanhaoz Date: Thu, 16 Jan 2025 15:15:20 -0800 Subject: [PATCH 1/3] chore: ensure docker file runs as non root user --- packages/@aws-cdk/aws-lambda-go-alpha/lib/Dockerfile | 6 ++++++ packages/@aws-cdk/aws-lambda-python-alpha/lib/Dockerfile | 5 +++++ packages/aws-cdk-lib/aws-lambda-nodejs/lib/Dockerfile | 5 +++++ 3 files changed, 16 insertions(+) diff --git a/packages/@aws-cdk/aws-lambda-go-alpha/lib/Dockerfile b/packages/@aws-cdk/aws-lambda-go-alpha/lib/Dockerfile index e61969d408468..02566219ce75d 100644 --- a/packages/@aws-cdk/aws-lambda-go-alpha/lib/Dockerfile +++ b/packages/@aws-cdk/aws-lambda-go-alpha/lib/Dockerfile @@ -8,8 +8,14 @@ ENV GOPATH=/go ENV GOCACHE=$GOPATH/.cache/go-build ENV GOPROXY=direct +# Create a non-root user and switch to it +RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser + # Ensure all users can write to GOPATH RUN mkdir $GOPATH && \ chmod -R 777 $GOPATH +# Switch to non-root user +USER appuser + CMD [ "go" ] diff --git a/packages/@aws-cdk/aws-lambda-python-alpha/lib/Dockerfile b/packages/@aws-cdk/aws-lambda-python-alpha/lib/Dockerfile index 334b2a80ac4d9..2a0eedd361ea3 100644 --- a/packages/@aws-cdk/aws-lambda-python-alpha/lib/Dockerfile +++ b/packages/@aws-cdk/aws-lambda-python-alpha/lib/Dockerfile @@ -17,6 +17,9 @@ ENV PIP_CACHE_DIR=/tmp/pip-cache # set the poetry cache ENV POETRY_CACHE_DIR=/tmp/poetry-cache +# Create a non-root user and switch to it +RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser + RUN \ # create a new virtualenv for python to use # so that it isn't using root @@ -36,4 +39,6 @@ RUN \ # Ensure no temporary files remain in the caches rm -rf /tmp/pip-cache/* /tmp/poetry-cache/* +USER appuser + CMD [ "python" ] diff --git a/packages/aws-cdk-lib/aws-lambda-nodejs/lib/Dockerfile b/packages/aws-cdk-lib/aws-lambda-nodejs/lib/Dockerfile index 005809616af08..8b83302bf1bbf 100644 --- a/packages/aws-cdk-lib/aws-lambda-nodejs/lib/Dockerfile +++ b/packages/aws-cdk-lib/aws-lambda-nodejs/lib/Dockerfile @@ -21,6 +21,9 @@ RUN npm install --global typescript ARG ESBUILD_VERSION=0.21 RUN npm install --global --unsafe-perm=true esbuild@$ESBUILD_VERSION +# Create a non-root user and switch to it +RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser + # Ensure all users can write to npm cache RUN mkdir /tmp/npm-cache && \ chmod -R 777 /tmp/npm-cache && \ @@ -47,4 +50,6 @@ RUN mkdir /tmp/bun-cache && \ chmod -R 777 /tmp/bun-cache && \ echo -e "[install.cache]\ndir = \"/tmp/bun-cache\"\ndisable = true" >> /home/user/.bunfig.toml +USER appuser + CMD [ "esbuild" ] From f87f348f3fedf8b4c1f549903c62674cd5db2258 Mon Sep 17 00:00:00 2001 From: yuanhaoz Date: Thu, 16 Jan 2025 16:13:39 -0800 Subject: [PATCH 2/3] chore update user --- packages/@aws-cdk/aws-lambda-go-alpha/lib/Dockerfile | 7 ++----- packages/@aws-cdk/aws-lambda-python-alpha/lib/Dockerfile | 6 ++---- packages/aws-cdk-lib/aws-lambda-nodejs/lib/Dockerfile | 7 ++----- 3 files changed, 6 insertions(+), 14 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda-go-alpha/lib/Dockerfile b/packages/@aws-cdk/aws-lambda-go-alpha/lib/Dockerfile index 02566219ce75d..8f0e2246c9164 100644 --- a/packages/@aws-cdk/aws-lambda-go-alpha/lib/Dockerfile +++ b/packages/@aws-cdk/aws-lambda-go-alpha/lib/Dockerfile @@ -8,14 +8,11 @@ ENV GOPATH=/go ENV GOCACHE=$GOPATH/.cache/go-build ENV GOPROXY=direct -# Create a non-root user and switch to it -RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser - # Ensure all users can write to GOPATH RUN mkdir $GOPATH && \ chmod -R 777 $GOPATH -# Switch to non-root user -USER appuser +# Switch to a non-root user +USER nobody CMD [ "go" ] diff --git a/packages/@aws-cdk/aws-lambda-python-alpha/lib/Dockerfile b/packages/@aws-cdk/aws-lambda-python-alpha/lib/Dockerfile index 2a0eedd361ea3..3f9c63aeeced3 100644 --- a/packages/@aws-cdk/aws-lambda-python-alpha/lib/Dockerfile +++ b/packages/@aws-cdk/aws-lambda-python-alpha/lib/Dockerfile @@ -17,9 +17,6 @@ ENV PIP_CACHE_DIR=/tmp/pip-cache # set the poetry cache ENV POETRY_CACHE_DIR=/tmp/poetry-cache -# Create a non-root user and switch to it -RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser - RUN \ # create a new virtualenv for python to use # so that it isn't using root @@ -39,6 +36,7 @@ RUN \ # Ensure no temporary files remain in the caches rm -rf /tmp/pip-cache/* /tmp/poetry-cache/* -USER appuser +# Switch to a non-root user +USER nobody CMD [ "python" ] diff --git a/packages/aws-cdk-lib/aws-lambda-nodejs/lib/Dockerfile b/packages/aws-cdk-lib/aws-lambda-nodejs/lib/Dockerfile index 8b83302bf1bbf..8787089352103 100644 --- a/packages/aws-cdk-lib/aws-lambda-nodejs/lib/Dockerfile +++ b/packages/aws-cdk-lib/aws-lambda-nodejs/lib/Dockerfile @@ -21,9 +21,6 @@ RUN npm install --global typescript ARG ESBUILD_VERSION=0.21 RUN npm install --global --unsafe-perm=true esbuild@$ESBUILD_VERSION -# Create a non-root user and switch to it -RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser - # Ensure all users can write to npm cache RUN mkdir /tmp/npm-cache && \ chmod -R 777 /tmp/npm-cache && \ @@ -50,6 +47,6 @@ RUN mkdir /tmp/bun-cache && \ chmod -R 777 /tmp/bun-cache && \ echo -e "[install.cache]\ndir = \"/tmp/bun-cache\"\ndisable = true" >> /home/user/.bunfig.toml -USER appuser +USER nobody -CMD [ "esbuild" ] +# CMD [ "esbuild" ] From 288667c61a725c7319922bea0e2a6e7a1b0076d7 Mon Sep 17 00:00:00 2001 From: yuanhaoz Date: Thu, 16 Jan 2025 16:14:16 -0800 Subject: [PATCH 3/3] chore update user --- packages/aws-cdk-lib/aws-lambda-nodejs/lib/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-lambda-nodejs/lib/Dockerfile b/packages/aws-cdk-lib/aws-lambda-nodejs/lib/Dockerfile index 8787089352103..df00297843e25 100644 --- a/packages/aws-cdk-lib/aws-lambda-nodejs/lib/Dockerfile +++ b/packages/aws-cdk-lib/aws-lambda-nodejs/lib/Dockerfile @@ -49,4 +49,4 @@ RUN mkdir /tmp/bun-cache && \ USER nobody -# CMD [ "esbuild" ] +CMD [ "esbuild" ]