diff --git a/Dockerfile.m4 b/Dockerfile.m4 index 79e3a05..23f93f3 100644 --- a/Dockerfile.m4 +++ b/Dockerfile.m4 @@ -360,6 +360,13 @@ COPY --from=build --chown=root:root /tmp/xrdp-pulseaudio/xrdp-pulseaudio_*.deb / RUN dpkg -i /tmp/xrdp-pulseaudio.deb && rm -f /tmp/xrdp-pulseaudio.deb # Environment +ENV UNPRIVILEGED_USER_UID=1000 +ENV UNPRIVILEGED_USER_GID=1000 +ENV UNPRIVILEGED_USER_NAME=guest +ENV UNPRIVILEGED_USER_PASSWORD=password +ENV UNPRIVILEGED_USER_GROUPS=audio,input,video +ENV UNPRIVILEGED_USER_SHELL=/bin/bash +ENV DISABLE_GPU=false ENV RDP_TLS_KEY_PATH=/etc/xrdp/key.pem ENV RDP_TLS_CERT_PATH=/etc/xrdp/cert.pem ENV PATH=/opt/VirtualGL/bin:"${PATH}" @@ -417,28 +424,6 @@ RUN mkdir /tmp/.X11-unix/ \ # Configure server for use with VirtualGL RUN vglserver_config -config +s +f -t -# Create guest user and group -ARG GUEST_USER_UID=1000 -ARG GUEST_USER_GID=1000 -RUN groupadd --gid "${GUEST_USER_GID}" guest -RUN useradd \ - --uid "${GUEST_USER_UID}" \ - --gid "${GUEST_USER_GID}" \ - --shell "$(command -v bash)" \ - --groups audio,input,video \ - --home-dir /home/guest/ \ - --create-home \ - guest - -# Set guest user password -ARG GUEST_USER_PASSWORD=guest -RUN printf '%s' guest:"${GUEST_USER_PASSWORD}" | chpasswd - -# Create /run/user/${GUEST_USER_UID}/dbus-1/ directory -RUN mkdir -p /run/user/"${GUEST_USER_UID}"/dbus-1/ \ - && chmod -R 700 /run/user/"${GUEST_USER_UID}"/ \ - && chown -R guest:guest /run/user/"${GUEST_USER_UID}"/ - # Copy config COPY --chown=root:root config/ssh/sshd_config /etc/ssh/sshd_config COPY --chown=root:root config/xrdp/xrdp.ini /etc/xrdp/xrdp.ini diff --git a/README.md b/README.md index 8956883..6f31d8e 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,13 @@ encounter any problem related to this you may use the `--shm-size` option. ## Environment variables -* `GUEST_USER_PASSWORD`: guest user password (`guest` by default). +* `UNPRIVILEGED_USER_UID`: unprivileged user UID (`1000` by default). +* `UNPRIVILEGED_USER_GID`: unprivileged user GID (`1000` by default). +* `UNPRIVILEGED_USER_NAME`: unprivileged user name (`guest` by default). +* `UNPRIVILEGED_USER_PASSWORD`: unprivileged user password (`password` by default). +* `UNPRIVILEGED_USER_GROUPS`: unprivileged user groups (`audio,input,video` by default). +* `UNPRIVILEGED_USER_SHELL`: unprivileged user shell (`/bin/bash` by default). +* `DISABLE_GPU`: disable the GPU in the container (`false` by default). ## License diff --git a/config/xrdp/xrdp.ini b/config/xrdp/xrdp.ini index 5538b73..712e3fc 100644 --- a/config/xrdp/xrdp.ini +++ b/config/xrdp/xrdp.ini @@ -11,7 +11,7 @@ key_file=/etc/xrdp/key.pem certificate=/etc/xrdp/cert.pem ssl_protocols=TLSv1.2, TLSv1.3 tls_ciphers=HIGH -autorun=XorgOther +autorun=Xorg allow_channels=true allow_multimon=true bitmap_cache=true @@ -58,17 +58,8 @@ rail=true xrdpvr=true tcutils=true -[XorgGuest] -name=Guest -lib=libxup.so -username=guest -password=ask -ip=127.0.0.1 -port=-1 -code=20 - -[XorgOther] -name=Other +[Xorg] +name=Xorg lib=libxup.so username=ask password=ask diff --git a/scripts/bin/docker-foreground-cmd b/scripts/bin/docker-foreground-cmd index e21f969..e1d4f23 100755 --- a/scripts/bin/docker-foreground-cmd +++ b/scripts/bin/docker-foreground-cmd @@ -3,40 +3,55 @@ set -eu # Disable xdummy if there is no graphics card -if [ ! -d /dev/dri/ ]; then +if [ "${DISABLE_GPU:?}" = 'true' ] || [ ! -d /dev/dri/ ]; then unlink /etc/service/xdummy fi -# Update guest user password -if [ -n "${GUEST_USER_PASSWORD-}" ]; then - printf '%s' "guest:${GUEST_USER_PASSWORD}" | chpasswd - unset GUEST_USER_PASSWORD +# Create unprivileged user and group +groupadd \ + --gid "${UNPRIVILEGED_USER_GID:?}" \ + "${UNPRIVILEGED_USER_NAME:?}" +useradd \ + --uid "${UNPRIVILEGED_USER_UID:?}" \ + --gid "${UNPRIVILEGED_USER_GID:?}" \ + --groups "${UNPRIVILEGED_USER_GROUPS:?}" \ + --shell "${UNPRIVILEGED_USER_SHELL:?}" \ + --create-home \ + "${UNPRIVILEGED_USER_NAME:?}" + +# Copy /etc/skel/ to unprivileged user home if empty +UNPRIVILEGED_USER_HOME=$(getent passwd "${UNPRIVILEGED_USER_NAME:?}" | cut -d: -f6) +if [ -z "$(ls -A "${UNPRIVILEGED_USER_HOME:?}")" ]; then + cp -aT /etc/skel/ "${UNPRIVILEGED_USER_HOME:?}" + chown -R "${UNPRIVILEGED_USER_NAME:?}:" "${UNPRIVILEGED_USER_HOME:?}" fi +# Create /run/user/${UNPRIVILEGED_USER_UID}/dbus-1/ directory +mkdir -p /run/user/"${UNPRIVILEGED_USER_UID:?}"/dbus-1/ +chmod -R 700 /run/user/"${UNPRIVILEGED_USER_UID:?}"/ +chown -R "${UNPRIVILEGED_USER_NAME:?}:" /run/user/"${UNPRIVILEGED_USER_UID:?}"/ + +# Set unprivileged user password +printf '%s' "${UNPRIVILEGED_USER_NAME:?}:${UNPRIVILEGED_USER_PASSWORD:?}" | chpasswd +unset UNPRIVILEGED_USER_PASSWORD + # Dump environment variables export-env >> /etc/profile.d/env.sh -# Copy /etc/skel/ to guest user home if empty -GUEST_USER_HOME=$(getent passwd guest | cut -d: -f6) -if [ -z "$(ls -A "${GUEST_USER_HOME}")" ]; then - cp -aT /etc/skel/ "${GUEST_USER_HOME}" - chown -R guest:guest "${GUEST_USER_HOME}" -fi - # Generate self-signed certificate -if [ ! -f "${RDP_TLS_KEY_PATH}" ] || [ ! -f "${RDP_TLS_CERT_PATH}" ]; then - KEY_FILE=${RDP_TLS_KEY_PATH} - CRT_FILE=${RDP_TLS_CERT_PATH} +if [ ! -f "${RDP_TLS_KEY_PATH:?}" ] || [ ! -f "${RDP_TLS_CERT_PATH:?}" ]; then + KEY_FILE=${RDP_TLS_KEY_PATH:?} + CRT_FILE=${RDP_TLS_CERT_PATH:?} CSR_FILE=$(mktemp -u) (umask 077 \ - && openssl genrsa -out "${KEY_FILE}" 2048 \ + && openssl genrsa -out "${KEY_FILE:?}" 2048 \ ) >/dev/null (umask 022 \ - && openssl req -new -subj "/CN=$(uname -n)" -key "${KEY_FILE}" -out "${CSR_FILE}" \ - && openssl x509 -req -days 3650 -signkey "${KEY_FILE}" -in "${CSR_FILE}" -out "${CRT_FILE}" \ - && rm -f "${CSR_FILE}" \ + && openssl req -new -subj "/CN=$(uname -n)" -key "${KEY_FILE:?}" -out "${CSR_FILE:?}" \ + && openssl x509 -req -days 3650 -signkey "${KEY_FILE:?}" -in "${CSR_FILE:?}" -out "${CRT_FILE:?}" \ + && rm -f "${CSR_FILE:?}" \ ) >/dev/null fi