From 83557fd9970eb89129a5ee93e4ce36c9dff51bf6 Mon Sep 17 00:00:00 2001
From: Trevor Bramwell <tbramwell@linuxfoundation.org>
Date: Wed, 21 Jun 2017 11:26:43 -0700
Subject: Run Anteater under Docker as Non-Root User

Instead of violating the priciple of least privilage, anteater should
be ran by a non-root user.

Anteater doesn't need access to anything owned by root to perform
security scanning, and running as a non-root user should prevent it from
creating file owned by root in the future.

JIRA: RELENG-238

Change-Id: I7b75255ff460444763acbcc5d7752e1223860a2b
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
---
 docker/Dockerfile | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index a625e42..7a82583 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -15,10 +15,13 @@ LABEL version="0.1" description="Anteater - OPNFV Gerrit Security Gate Checks"
 
 # environment variables
 ARG BRANCH=master
+ARG ANTEATER_USER=opnfv
 
-ENV HOME /home/opnfv
-ENV ANT_HOME ${HOME}/anteater
-RUN mkdir -p ${ANT_HOME}
+# Anteater is run as user 'opnfv'
+RUN useradd -U -m -s /bin/bash ${ANTEATER_USER}
+
+ENV HOME /home/${ANTEATER_USER}
+ENV ANTEATER_HOME ${HOME}/anteater
 
 # Packaged dependencies
 RUN yum -y install epel-release
@@ -26,8 +29,12 @@ RUN yum -y update
 RUN yum -y install git python-devel python-pip
 RUN yum clean all
 
+# Run all following commands and container as non-root user
+USER ${ANTEATER_USER}
+
 # Commands to clone and install
-RUN git clone https://gerrit.opnfv.org/gerrit/releng-anteater ${ANT_HOME}
-WORKDIR ${ANT_HOME}
-RUN /usr/bin/pip install -r ${ANT_HOME}/requirements.txt
-RUN python ${ANT_HOME}/setup.py install
+RUN mkdir -p ${ANTEATER_HOME}
+RUN git clone https://gerrit.opnfv.org/gerrit/releng-anteater ${ANTEATER_HOME}
+WORKDIR ${ANTEATER_HOME}
+RUN /usr/bin/pip install -r ${ANTEATER_HOME}/requirements.txt
+RUN python ${ANTEATER_HOME}/setup.py install
-- 
cgit 1.2.3-korg