From 66d7d19af8b370ec6f081635ca5cb28b42ddf438 Mon Sep 17 00:00:00 2001
From: Jacek Kowalski <Jacek@jacekk.info>
Date: Mon, 08 May 2017 20:10:30 +0000
Subject: [PATCH] Run UniFi as a separate non-root user

---
 Dockerfile |    9 +++++++--
 run.sh     |    9 +++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index c28f7a3..65e6444 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,7 +8,7 @@
 	&& apt-get update \
 	&& apt-get -y dist-upgrade \
 	&& apt-get -y -t jessie-backports install \
-		wget jsvc openjdk-8-jre-headless mongodb-server binutils \
+		wget jsvc openjdk-8-jre-headless mongodb-server binutils sudo \
 	&& apt-get -y clean
 
 RUN cd /tmp \
@@ -16,9 +16,14 @@
 	&& dpkg -i unifi_sysvinit_all.deb \
 	&& rm -rf unifi_sysvinit_all.deb /var/lib/unifi/*
 
+RUN groupadd -r -g 500 unifi \
+	&& useradd -r -d /usr/lib/unifi -u 500 -g 500 unifi \
+	&& chown -Rf unifi:unifi /usr/lib/unifi
+
 EXPOSE 8080 8081 8443 8843 8880
 
 VOLUME /usr/lib/unifi/data
 
 WORKDIR /var/lib/unifi
-CMD ["/usr/bin/java", "-Xmx1024M", "-jar", "/usr/lib/unifi/lib/ace.jar", "start"]
+COPY run.sh /run.sh
+CMD /run.sh
diff --git a/run.sh b/run.sh
new file mode 100755
index 0000000..a04e068
--- /dev/null
+++ b/run.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+if [ -z "$JAVA_OPTS" ]; then
+	JAVA_OPTS="-Xmx1024m"
+fi
+
+chown -Rf unifi:unifi /usr/lib/unifi/data
+
+exec sudo -u unifi java $JAVA_OPTS -jar /usr/lib/unifi/lib/ace.jar start

--
Gitblit v1.9.1