From d2e8ebf5f42c4db1a240ff90f79e8de817c7eb2f Mon Sep 17 00:00:00 2001 From: Boming Zhang Date: Sat, 25 Oct 2025 08:32:39 -0700 Subject: [PATCH] feat: enforce correct permission in Dockerfile --- Dockerfile | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index bee1836..b465468 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,16 +2,12 @@ FROM focs.ji.sjtu.edu.cn:5000/gitea/runner-images:ubuntu-latest-slim ENV TZ="Asia/Shanghai" +# install packages RUN sed -i s@/deb.debian.org/@/mirrors.tuna.tsinghua.edu.cn/@g /etc/apt/sources.list.d/debian.sources && \ apt-get update && \ apt-get install -y --no-install-recommends sudo python3-minimal python3-pip git git-lfs openssh-client rsync && \ apt-get clean && \ - rm -rf /var/lib/apt/lists/* && \ - userdel -r node && \ - useradd -u 1000 -ms /bin/bash tt && \ - useradd -u 1001 -ms /bin/bash student && \ - usermod -aG student tt && \ - echo "student ALL=(tt) NOPASSWD:SETENV:/usr/local/bin/joj3,/usr/local/bin/joj3-forge-convert\ntt ALL=(student) NOPASSWD:SETENV:ALL" > /etc/sudoers.d/joj + rm -rf /var/lib/apt/lists/* # install joint-teapot && joj3-forge RUN pip install --no-cache-dir --break-system-packages \ @@ -21,6 +17,17 @@ RUN pip install --no-cache-dir --break-system-packages \ # install joj3 & repo-health-checker & joj3-forge-convert COPY bin/joj3 bin/repo-health-checker bin/joj3-forge-convert /usr/local/bin/ +RUN chmod +x /usr/local/bin/joj3 /usr/local/bin/repo-health-checker /usr/local/bin/joj3-forge-convert +# set permissions +RUN userdel -r node && \ + useradd -u 1000 -ms /bin/bash tt && \ + useradd -u 1001 -ms /bin/bash student && \ + usermod -aG student tt && \ + chmod 700 /home/tt /home/student && \ + echo "student ALL=(tt) NOPASSWD:SETENV:/usr/local/bin/joj3,/usr/local/bin/joj3-forge-convert\ntt ALL=(student) NOPASSWD:SETENV:ALL" > /etc/sudoers.d/joj && \ + chmod 440 /etc/sudoers.d/joj + +# entry setup USER student WORKDIR /home/student