Skip to content

Commit dc92ab5

Browse files
mythzmythz
committed
Run node.js in a more isolated process
1 parent 13afefa commit dc92ab5

2 files changed

Lines changed: 24 additions & 6 deletions

File tree

Dockerfile

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -67,11 +67,19 @@ RUN apt-get update \
6767
&& apt-get clean \
6868
&& rm -rf /var/lib/apt/lists/*
6969

70-
# Copy published .NET app
70+
# Create unprivileged user for Node.js
71+
RUN groupadd -r nodeuser && useradd -r -g nodeuser -s /bin/bash nodeuser
72+
73+
# Copy published .NET app (owned by root, no access for nodeuser)
7174
COPY --from=dotnet-build /src/MyApp/bin/Release/net10.0/publish ./api
75+
RUN chmod -R 700 ./api && chown -R root:root ./api
7276

73-
# Copy built Next.js app (including dist, node_modules, public, etc.)
77+
# Copy built Next.js app (owned by nodeuser, read-only)
7478
COPY --from=dotnet-build /src/MyApp.Client ./client
79+
RUN chown -R nodeuser:nodeuser ./client && chmod -R 500 ./client
80+
81+
# Create /tmp directory accessible to nodeuser
82+
RUN mkdir -p /tmp && chmod 1777 /tmp
7583

7684
ENV ASPNETCORE_URLS=http://0.0.0.0:8080 \
7785
INTERNAL_API_URL=http://127.0.0.1:8080 \

entrypoint.sh

Lines changed: 14 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,15 +13,25 @@ if [[ "$*" == *"--AppTasks"* ]]; then
1313
fi
1414

1515
echo "Starting ASP.NET Core on ${ASPNETCORE_URLS}..."
16-
DOTNET_ENV_VARS=("ASPNETCORE_URLS=${ASPNETCORE_URLS}")
1716

18-
# Start ASP.NET Core application with correct content root so appsettings.json is loaded
17+
# Start ASP.NET Core application as root with full environment
1918
ASPNETCORE_CONTENTROOT="/app/api" ASPNETCORE_URLS="${ASPNETCORE_URLS}" dotnet /app/api/MyApp.dll &
2019
DOTNET_PID=$!
2120

22-
echo "Starting Next.js on port ${NEXT_PORT}..."
21+
echo "Starting Next.js on port ${NEXT_PORT} as isolated user..."
22+
23+
# Start Node.js with minimal environment and as unprivileged user
24+
# Only pass through safe environment variables
25+
cd /app/client && su nodeuser -s /bin/bash -c "
26+
export HOME=/tmp
27+
export NODE_ENV=production
28+
export NEXT_PORT=${NEXT_PORT}
29+
export INTERNAL_API_URL=${INTERNAL_API_URL:-http://127.0.0.1:8080}
30+
export KAMAL_DEPLOY_HOST=${KAMAL_DEPLOY_HOST}
31+
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
2332
cd /app/client
24-
npm run start -- --port "${NEXT_PORT}" &
33+
npm run start -- --port ${NEXT_PORT}
34+
" &
2535
NEXT_PID=$!
2636

2737
term_handler() {

0 commit comments

Comments
 (0)