From e9021e16c49c4224782040449b43fb0015c9f05c Mon Sep 17 00:00:00 2001
From: kaiyou <pierre@jaury.eu>
Date: Sun, 4 Feb 2018 23:19:08 +0100
Subject: [PATCH] Run the server as an unprivileged user

---
 Dockerfile              |  2 +-
 contrib/docker/start.py | 11 +++++++----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 25f3746303..f687a4f2bb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 FROM python:2-alpine
 
-RUN apk add --no-cache --virtual .nacl_deps build-base libffi-dev zlib-dev openssl-dev libjpeg-turbo-dev linux-headers postgresql-dev
+RUN apk add --no-cache --virtual .nacl_deps su-exec build-base libffi-dev zlib-dev openssl-dev libjpeg-turbo-dev linux-headers postgresql-dev
 
 COPY . /synapse
 
diff --git a/contrib/docker/start.py b/contrib/docker/start.py
index 7057f85f61..8bc72bf428 100755
--- a/contrib/docker/start.py
+++ b/contrib/docker/start.py
@@ -9,14 +9,16 @@ convert = lambda src, dst, environ: open(dst, "w").write(jinja2.Template(open(sr
 mode = sys.argv[1] if len(sys.argv) > 1 else None
 environ = os.environ.copy()
 
+# Check mandatory parameters and build the base start arguments
 if "SYNAPSE_SERVER_NAME" not in environ:
     print("Environment variable SYNAPSE_SERVER_NAME is mandatory, exiting.")
     sys.exit(2)
 
+permissions = "{}:{}".format(environ.get("UID", 991), environ.get("GID", 991))
 args = ["python", "-m", "synapse.app.homeserver",
-        "--server-name", os.environ.get("SYNAPSE_SERVER_NAME"),
-        "--report-stats", os.environ.get("SYNAPSE_REPORT_STATS", "no"),
-        "--config-path", os.environ.get("SYNAPSE_CONFIG_PATH", "/compiled/homeserver.yaml")]
+        "--server-name", environ.get("SYNAPSE_SERVER_NAME"),
+        "--report-stats", environ.get("SYNAPSE_REPORT_STATS", "no"),
+        "--config-path", environ.get("SYNAPSE_CONFIG_PATH", "/compiled/homeserver.yaml")]
 
 # Generate any missing shared secret
 for secret in ("SYNAPSE_REGISTRATION_SHARED_SECRET", "SYNAPSE_MACAROON_SECRET_KEY"):
@@ -35,4 +37,5 @@ if mode == "generate":
 # In normal mode, generate missing keys if any, then run synapse
 else:
     subprocess.check_output(args + ["--generate-keys"])
-    os.execv("/usr/local/bin/python", args)
+    subprocess.check_output(["chown", "-R", permissions, "/data"])
+    os.execv("/sbin/su-exec", ["su-exec", permissions] + args)