security: minimize permission of sandbox user

2025-12-26 01:33:05 +00:00 · 2024-12-17 11:53:52 +08:00 · 2024-12-17 11:53:52 +08:00 · b7cac7defc
parent a42848d183
commit b7cac7defc
2 changed files with 7 additions and 6 deletions
--- a/.github/workflows/build-and-push.yml
+++ b/.github/workflows/build-and-push.yml
@ -7,7 +7,7 @@ on:
    inputs:
      dockerImageTag:
        description: 'Docker Image Tag'
-        default: 'v1.6.0-dev'
+        default: 'v1.9.0-dev'
        required: true
      architecture:
        description: 'Architecture'
--- a/installer/Dockerfile
+++ b/installer/Dockerfile
@ -60,13 +60,14 @@ RUN chmod 755 /opt/maxkb/app/installer/run-maxkb.sh && \
    cp -r /opt/maxkb/model/base/hub /opt/maxkb/model/tokenizer && \
    cp -f /opt/maxkb/app/installer/run-maxkb.sh /usr/bin/run-maxkb.sh && \
    cp -f /opt/maxkb/app/installer/init.sql /docker-entrypoint-initdb.d && \
    curl -L --connect-timeout 120 -m 1800 https://resource.fit2cloud.com/maxkb/ffmpeg/get-ffmpeg-linux | sh && \
    mkdir -p /opt/maxkb/app/sandbox/python-packages &&  \
    find /opt/maxkb/app -mindepth 1 -not -name 'sandbox' -exec chmod 700 {} + && \
-    chmod 755 /tmp  && \
+    chmod 755 /tmp && \
-    useradd --no-create-home --home /opt/maxkb/app/sandbox --shell /bin/bash sandbox &&  \
+    useradd --no-create-home --home /opt/maxkb/app/sandbox sandbox -g root && \
-    chown sandbox:sandbox /opt/maxkb/app/sandbox && \
+    chown -R sandbox:root /opt/maxkb/app/sandbox && \
-    curl -L --connect-timeout 120 -m 1800 https://resource.fit2cloud.com/maxkb/ffmpeg/get-ffmpeg-linux | sh
+    chmod g-x /usr/local/bin/* /usr/bin/* /bin/* /usr/sbin/* /sbin/* /usr/lib/postgresql/15/bin/* && \
-
+    chmod g+x /usr/local/bin/python* /bin/sh
 EXPOSE 8080