run tor as root

This commit is contained in:
Miraty 2024-08-08 00:03:43 +02:00
parent c438fc348d
commit 9a03df85f2
5 changed files with 7 additions and 9 deletions

View file

@ -6,5 +6,4 @@ RUN apk add shadow
RUN \
useradd --user-group --system --no-create-home --uid 500 servnest && \
useradd --user-group --system --no-create-home --uid 501 nginx && \
useradd --user-group --system --no-create-home --uid 505 sftpgo && \
useradd --user-group --system --no-create-home --uid 506 tor
useradd --user-group --system --no-create-home --uid 505 sftpgo

View file

@ -13,7 +13,7 @@ services:
- ./sock/tor-client/:/run/tor-client/:rw
- ./sock/tor-control/:/run/tor-control/:rw
- ./sock/nginx-onion/:/run/nginx-onion/:rw
- ./tmp/tor/:/var/lib/:rw
- ./tmp/tor/:/var/lib/tor/:rw
mem_limit: 128m
sftpgo:
extends:
@ -65,7 +65,7 @@ services:
dockerfile: php.Containerfile
group_add:
- knot
- tor
- root # For tor control socket
links:
- nginx:servnest.test
- nginx:ht.servnest.test

View file

@ -1,7 +1,7 @@
servnest ALL=(root) NOPASSWD: /bin/chgrp ^--no-dereference -- sftpgo /srv/servnest/ht/fs/[0-9a-f]{64}$
servnest ALL=(root) NOPASSWD: /usr/bin/certbot ^--config /etc/letsencrypt/servnest\.ini certonly --domain ([a-z0-9_-]{1,63}\.){1,126}[a-z0-9]{1,63}( --test-cert)?$
servnest ALL=(root) NOPASSWD: /usr/bin/certbot ^--config /etc/letsencrypt/servnest\.ini delete --quiet --cert-name ([a-z0-9_-]{1,63}\.){1,126}[a-z0-9]{1,63}$
servnest ALL=(tor) NOPASSWD: /bin/cat ^-- /srv/servnest/tor-keys/[0-9a-f]{64}/[a-zA-Z0-9_-]{1,64}/hostname$
servnest ALL=(tor) NOPASSWD: /bin/mkdir ^--mode=0700 -- /srv/servnest/tor-keys/[0-9a-f]{64}$
servnest ALL=(tor) NOPASSWD: /bin/rm ^-r -- /srv/servnest/tor-keys/[0-9a-f]{64}(/[a-zA-Z0-9_-]{1,64})?$
servnest ALL=(root) NOPASSWD: /bin/cat ^-- /srv/servnest/tor-keys/[0-9a-f]{64}/[a-zA-Z0-9_-]{1,64}/hostname$
servnest ALL=(root) NOPASSWD: /bin/mkdir ^--mode=0700 -- /srv/servnest/tor-keys/[0-9a-f]{64}$
servnest ALL=(root) NOPASSWD: /bin/rm ^-r -- /srv/servnest/tor-keys/[0-9a-f]{64}(/[a-zA-Z0-9_-]{1,64})?$
servnest ALL=(sftpgo) NOPASSWD: /bin/rm ^-r -- /srv/servnest/ht/fs/[0-9a-f]{64}$

View file

@ -1,6 +1,6 @@
#User tor
DataDirectory /var/lib/tor
SocksPort unix:/run/tor-client/socket WorldWritable
ControlPort unix:/run/tor-control/dir/socket GroupWritable
ControlPort unix:/run/tor-control/socket GroupWritable
%include /srv/servnest/tor-config/*

View file

@ -1,4 +1,3 @@
FROM servnest_alpine
RUN apk add tor && chmod 700 /var/lib/tor
USER tor
CMD ["tor", "--hush"]