From 3372ade61b4f2229cbc568a4ae3343b199102371 Mon Sep 17 00:00:00 2001
From: Martijn Suijlen <37180297+BlueIcarus@users.noreply.github.com>
Date: Fri, 26 Jun 2020 17:38:27 +0200
Subject: [PATCH] Docker image should run non-root (#153)

Changed the Dockerfile so that there is a Inbucket user (and group). This will allow the container to be executed a the Inbucket user in stead of ROOT (security best practices)

If the user wants to use a different greeting.html file he can use the environment variable to define a different one. For now we just use the greeting.html from the defaults directory.

* Permissions for /start-inbucket.sh file
* Added timezone data so you can set the timezone in the image
* Updated Docker greeting.html file to include some basic instructions
* Updated to alpine 3.11
* Updated to golang 1.14
* Updated the required packages
---
 Dockerfile                            |  7 +++++-
 etc/docker/defaults/greeting.html     | 36 ++++++++++++++++++++-------
 etc/docker/defaults/start-inbucket.sh | 15 -----------
 3 files changed, 33 insertions(+), 25 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 0c36bdb..cce2643 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -25,6 +25,7 @@ RUN npm run build
 
 # Run in minimal image
 FROM alpine:3.11
+RUN apk --no-cache add tzdata
 WORKDIR /opt/inbucket
 RUN mkdir bin defaults ui
 COPY --from=builder /build/inbucket bin
@@ -36,7 +37,7 @@ COPY etc/docker/defaults/start-inbucket.sh /
 ENV INBUCKET_SMTP_DISCARDDOMAINS bitbucket.local
 ENV INBUCKET_SMTP_TIMEOUT 30s
 ENV INBUCKET_POP3_TIMEOUT 30s
-ENV INBUCKET_WEB_GREETINGFILE /config/greeting.html
+ENV INBUCKET_WEB_GREETINGFILE /opt/inbucket/defaults/greeting.html
 ENV INBUCKET_WEB_COOKIEAUTHKEY secret-inbucket-session-cookie-key
 ENV INBUCKET_WEB_UIDIR=ui
 ENV INBUCKET_STORAGE_TYPE file
@@ -54,5 +55,9 @@ EXPOSE 2500 9000 1100
 VOLUME /config
 VOLUME /storage
 
+RUN addgroup -g 1000 inbucket && adduser -G inbucket -u 1000 -D inbucket && chown -R inbucket:inbucket /opt/inbucket/ && chmod 774 /opt/inbucket/ -R && chown /start-inbucket.sh && chmod +x /start-inbucket.sh
+
+USER inbucket
+
 ENTRYPOINT ["/start-inbucket.sh"]
 CMD ["-logjson"]
diff --git a/etc/docker/defaults/greeting.html b/etc/docker/defaults/greeting.html
index 88b22fd..242bff9 100644
--- a/etc/docker/defaults/greeting.html
+++ b/etc/docker/defaults/greeting.html
@@ -1,17 +1,35 @@
 <h1>Welcome to Inbucket</h1>
 
 <p>Inbucket is an email testing service; it will accept email for any email
-address and make it available to view without a password.</p>
+    address and make it available to view without a password.
+</p>
 
 <p>To view messages for a particular address, enter the username portion
-of the address into the box on the upper right and click <em>View</em>.</p>
+    of the address into the box on the upper right and click <em>View</em>.
+</p>
 
 <p>This instance of Inbucket is running inside of a <a
-  href="https://www.docker.com/" target="_blank">Docker</a> container.  It is
-configured to retain messages for a maximum of 3 days, and will enforce a limit
-of 300 messages per mailbox - the oldest messages will be deleted to stay under
-that limit.</p>
+      href="https://www.docker.com/" target="_blank">Docker</a> container.  It is
+    configured to retain messages for a maximum of 3 days, and </br>
+    will enforce a limit of 300 messages per mailbox - the oldest messages will
+    be deleted to stay under that limit.
+</p>
 
-<p>Messages addressed to any recipient in the <code>@bitbucket.local</code>
-domain will be accepted but not written to disk.  Use this domain for load or
-soak testing your application.</p>
+<p>
+    Messages addressed to any recipient in the <code>@bitbucket.local</code>
+    domain will be accepted but not written to disk. </br>Use this domain for load or
+    soak testing your application.
+</p>
+
+<p> You can modify this greetings page by changing the Docker environment variable
+    'INBUCKET_WEB_GREETINGFILE' </br>to point to a different greetings.html. If for
+    example you have a greetings file on your local machine and want to mount that
+    you could </br>that file using the docker '--volume' parameter to add your local
+    greetings.html file to the directory '/custom/greetings.html'. </br>You will then
+    set the environment variable INBUCKET_WEB_GREETINGFILE to
+    '/custom/greetings.html'. </br>Your customized file will then be loaded after you
+    start the Docker container.</p>
+<p>
+    This exact greetings file can be found at:
+    https://github.com/inbucket/inbucket/blob/master/etc/docker/defaults/greeting.html.
+</p>
diff --git a/etc/docker/defaults/start-inbucket.sh b/etc/docker/defaults/start-inbucket.sh
index 9960437..dc7492e 100755
--- a/etc/docker/defaults/start-inbucket.sh
+++ b/etc/docker/defaults/start-inbucket.sh
@@ -3,22 +3,7 @@
 # description: start inbucket (runs within a docker container)
 
 INBUCKET_HOME="/opt/inbucket"
-CONF_SOURCE="$INBUCKET_HOME/defaults"
-CONF_TARGET="/config"
 
 set -eo pipefail
 
-install_default_config() {
-  local file="$1"
-  local source="$CONF_SOURCE/$file"
-  local target="$CONF_TARGET/$file"
-
-  if [ ! -e "$target" ]; then
-    echo "Installing default $file to $CONF_TARGET"
-    install "$source" "$target"
-  fi
-}
-
-install_default_config "greeting.html"
-
 exec "$INBUCKET_HOME/bin/inbucket" $*