diff options
| -rw-r--r-- | packaging/docker/Dockerfile | 22 | ||||
| -rwxr-xr-x | packaging/docker/run.sh | 2 |
2 files changed, 16 insertions, 8 deletions
diff --git a/packaging/docker/Dockerfile b/packaging/docker/Dockerfile index 4be2d93b20..f9f3e73095 100644 --- a/packaging/docker/Dockerfile +++ b/packaging/docker/Dockerfile @@ -74,13 +74,21 @@ RUN \ addgroup -g ${NETDATA_GID} -S "${DOCKER_GRP}" && \ adduser -S -H -s /usr/sbin/nologin -u ${NETDATA_GID} -h /etc/netdata -G "${DOCKER_GRP}" "${DOCKER_USR}" && \ # Apply the permissions as described in - # https://github.com/netdata/netdata/wiki/netdata-security#netdata-directories - chown -R root:netdata /etc/netdata && \ - chown -R netdata:netdata /var/cache/netdata /var/lib/netdata /usr/share/netdata && \ - chown -R root:netdata /usr/lib/netdata && \ - chown -R root:netdata /usr/libexec/netdata/ && \ - chmod 4750 /usr/libexec/netdata/plugins.d/cgroup-network /usr/libexec/netdata/plugins.d/apps.plugin && \ - chmod 0750 /var/lib/netdata /var/cache/netdata && \ + # https://docs.netdata.cloud/docs/netdata-security/#netdata-directories, but own everything by root group due to https://github.com/netdata/netdata/pull/6543 + chown -R root:root \ + /etc/netdata \ + /usr/share/netdata \ + /usr/libexec/netdata && \ + chown -R netdata:root \ + /usr/lib/netdata \ + /var/cache/netdata \ + /var/lib/netdata \ + /var/log/netdata && \ + chmod 0755 /usr/libexec/netdata/plugins.d/*.plugin && \ + chmod 4755 /usr/libexec/netdata/plugins.d/cgroup-network /usr/libexec/netdata/plugins.d/apps.plugin && \ + # Group write permissions due to: https://github.com/netdata/netdata/pull/6543chmod 0770 -R /var/lib/netdata /var/cache/netdata && \ + find /var/lib/netdata /var/cache/netdata -type d -exec chmod 0770 {} \; && \ + find /var/lib/netdata /var/cache/netdata -type f -exec chmod 0660 {} \; && \ # Link log files to stdout ln -sf /dev/stdout /var/log/netdata/access.log && \ ln -sf /dev/stdout /var/log/netdata/debug.log && \ diff --git a/packaging/docker/run.sh b/packaging/docker/run.sh index f4377d4583..e2fedd0eac 100755 --- a/packaging/docker/run.sh +++ b/packaging/docker/run.sh @@ -20,6 +20,6 @@ if [ -n "${PGID}" ]; then usermod -a -G ${PGID} ${DOCKER_USR} || echo >&2 "Could not add netdata user to group docker with ID ${PGID}" fi -exec /usr/sbin/netdata -u "${DOCKER_USR}" -D -s /host -p "${NETDATA_PORT}" "$@" +exec /usr/sbin/netdata -u "${DOCKER_USR}" -D -s /host -p "${NETDATA_PORT}" -W set web "web files group" root -W set web "web files owner" root "$@" echo "Netdata entrypoint script, completed!" |