From ddaad470c5da4ea85789dc53a27af58832ae0e1c Mon Sep 17 00:00:00 2001 From: GZ Date: Thu, 16 Jan 2025 17:17:23 -0800 Subject: [PATCH] chore: ensure docker file runs as non root user (#32976) ### Reason for this change Fix Code Scanner issue ``` By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'. ``` ### Description of changes Create a new group and attach the user to the group. The dockerfile already gives necessary permissions with statements like `chmod 777` ### Description of how you validated changes N/A ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/aws-lambda-go-alpha/lib/Dockerfile | 3 +++ packages/@aws-cdk/aws-lambda-python-alpha/lib/Dockerfile | 3 +++ packages/aws-cdk-lib/aws-lambda-nodejs/lib/Dockerfile | 2 ++ 3 files changed, 8 insertions(+) diff --git a/packages/@aws-cdk/aws-lambda-go-alpha/lib/Dockerfile b/packages/@aws-cdk/aws-lambda-go-alpha/lib/Dockerfile index e61969d408468..8f0e2246c9164 100644 --- a/packages/@aws-cdk/aws-lambda-go-alpha/lib/Dockerfile +++ b/packages/@aws-cdk/aws-lambda-go-alpha/lib/Dockerfile @@ -12,4 +12,7 @@ ENV GOPROXY=direct RUN mkdir $GOPATH && \ chmod -R 777 $GOPATH +# Switch to a non-root user +USER nobody + CMD [ "go" ] diff --git a/packages/@aws-cdk/aws-lambda-python-alpha/lib/Dockerfile b/packages/@aws-cdk/aws-lambda-python-alpha/lib/Dockerfile index 334b2a80ac4d9..3f9c63aeeced3 100644 --- a/packages/@aws-cdk/aws-lambda-python-alpha/lib/Dockerfile +++ b/packages/@aws-cdk/aws-lambda-python-alpha/lib/Dockerfile @@ -36,4 +36,7 @@ RUN \ # Ensure no temporary files remain in the caches rm -rf /tmp/pip-cache/* /tmp/poetry-cache/* +# Switch to a non-root user +USER nobody + CMD [ "python" ] diff --git a/packages/aws-cdk-lib/aws-lambda-nodejs/lib/Dockerfile b/packages/aws-cdk-lib/aws-lambda-nodejs/lib/Dockerfile index 005809616af08..df00297843e25 100644 --- a/packages/aws-cdk-lib/aws-lambda-nodejs/lib/Dockerfile +++ b/packages/aws-cdk-lib/aws-lambda-nodejs/lib/Dockerfile @@ -47,4 +47,6 @@ RUN mkdir /tmp/bun-cache && \ chmod -R 777 /tmp/bun-cache && \ echo -e "[install.cache]\ndir = \"/tmp/bun-cache\"\ndisable = true" >> /home/user/.bunfig.toml +USER nobody + CMD [ "esbuild" ]