Dynamically create unprivileged user

Dockerfile.m4

@@ -360,6 +360,13 @@ COPY --from=build --chown=root:root /tmp/xrdp-pulseaudio/xrdp-pulseaudio_*.deb /
 RUN dpkg -i /tmp/xrdp-pulseaudio.deb && rm -f /tmp/xrdp-pulseaudio.deb
 
 # Environment
+ENV UNPRIVILEGED_USER_UID=1000
+ENV UNPRIVILEGED_USER_GID=1000
+ENV UNPRIVILEGED_USER_NAME=guest
+ENV UNPRIVILEGED_USER_PASSWORD=password
+ENV UNPRIVILEGED_USER_GROUPS=audio,input,video
+ENV UNPRIVILEGED_USER_SHELL=/bin/bash
+ENV DISABLE_GPU=false
 ENV RDP_TLS_KEY_PATH=/etc/xrdp/key.pem
 ENV RDP_TLS_CERT_PATH=/etc/xrdp/cert.pem
 ENV PATH=/opt/VirtualGL/bin:"${PATH}"
@@ -417,28 +424,6 @@ RUN mkdir /tmp/.X11-unix/ \
 # Configure server for use with VirtualGL
 RUN vglserver_config -config +s +f -t
 
-# Create guest user and group
-ARG GUEST_USER_UID=1000
-ARG GUEST_USER_GID=1000
-RUN groupadd --gid "${GUEST_USER_GID}" guest
-RUN useradd \
-		--uid "${GUEST_USER_UID}" \
-		--gid "${GUEST_USER_GID}" \
-		--shell "$(command -v bash)" \
-		--groups audio,input,video \
-		--home-dir /home/guest/ \
-		--create-home \
-		guest
-
-# Set guest user password
-ARG GUEST_USER_PASSWORD=guest
-RUN printf '%s' guest:"${GUEST_USER_PASSWORD}" | chpasswd
-
-# Create /run/user/${GUEST_USER_UID}/dbus-1/ directory
-RUN mkdir -p /run/user/"${GUEST_USER_UID}"/dbus-1/ \
-	&& chmod -R 700 /run/user/"${GUEST_USER_UID}"/ \
-	&& chown -R guest:guest /run/user/"${GUEST_USER_UID}"/
-
 # Copy config
 COPY --chown=root:root config/ssh/sshd_config /etc/ssh/sshd_config
 COPY --chown=root:root config/xrdp/xrdp.ini /etc/xrdp/xrdp.ini

README.md

@@ -24,7 +24,13 @@ encounter any problem related to this you may use the `--shm-size` option.
 
 ## Environment variables
 
-* `GUEST_USER_PASSWORD`: guest user password (`guest` by default).
+* `UNPRIVILEGED_USER_UID`: unprivileged user UID (`1000` by default).
+* `UNPRIVILEGED_USER_GID`: unprivileged user GID (`1000` by default).
+* `UNPRIVILEGED_USER_NAME`: unprivileged user name (`guest` by default).
+* `UNPRIVILEGED_USER_PASSWORD`: unprivileged user password (`password` by default).
+* `UNPRIVILEGED_USER_GROUPS`: unprivileged user groups (`audio,input,video` by default).
+* `UNPRIVILEGED_USER_SHELL`: unprivileged user shell (`/bin/bash` by default).
+* `DISABLE_GPU`: disable the GPU in the container (`false` by default).
 
 ## License
 

config/xrdp/xrdp.ini

@@ -11,7 +11,7 @@ key_file=/etc/xrdp/key.pem
 certificate=/etc/xrdp/cert.pem
 ssl_protocols=TLSv1.2, TLSv1.3
 tls_ciphers=HIGH
-autorun=XorgOther
+autorun=Xorg
 allow_channels=true
 allow_multimon=true
 bitmap_cache=true
@@ -58,17 +58,8 @@ rail=true
 xrdpvr=true
 tcutils=true
 
-[XorgGuest]
+[Xorg]
-name=Guest
+name=Xorg
-lib=libxup.so
-username=guest
-password=ask
-ip=127.0.0.1
-port=-1
-code=20
-
-[XorgOther]
-name=Other
 lib=libxup.so
 username=ask
 password=ask

scripts/bin/docker-foreground-cmd

@@ -3,40 +3,55 @@
 set -eu
 
 # Disable xdummy if there is no graphics card
-if [ ! -d /dev/dri/ ]; then
+if [ "${DISABLE_GPU:?}" = 'true' ] || [ ! -d /dev/dri/ ]; then
 	unlink /etc/service/xdummy
 fi
 
-# Update guest user password
+# Create unprivileged user and group
-if [ -n "${GUEST_USER_PASSWORD-}" ]; then
+groupadd \
-	printf '%s' "guest:${GUEST_USER_PASSWORD}" | chpasswd
+	--gid "${UNPRIVILEGED_USER_GID:?}" \
-	unset GUEST_USER_PASSWORD
+	"${UNPRIVILEGED_USER_NAME:?}"
+useradd \
+	--uid "${UNPRIVILEGED_USER_UID:?}" \
+	--gid "${UNPRIVILEGED_USER_GID:?}" \
+	--groups "${UNPRIVILEGED_USER_GROUPS:?}" \
+	--shell "${UNPRIVILEGED_USER_SHELL:?}" \
+	--create-home \
+	"${UNPRIVILEGED_USER_NAME:?}"
+
+# Copy /etc/skel/ to unprivileged user home if empty
+UNPRIVILEGED_USER_HOME=$(getent passwd "${UNPRIVILEGED_USER_NAME:?}" | cut -d: -f6)
+if [ -z "$(ls -A "${UNPRIVILEGED_USER_HOME:?}")" ]; then
+	cp -aT /etc/skel/ "${UNPRIVILEGED_USER_HOME:?}"
+	chown -R "${UNPRIVILEGED_USER_NAME:?}:" "${UNPRIVILEGED_USER_HOME:?}"
 fi
 
+# Create /run/user/${UNPRIVILEGED_USER_UID}/dbus-1/ directory
+mkdir -p /run/user/"${UNPRIVILEGED_USER_UID:?}"/dbus-1/
+chmod -R 700 /run/user/"${UNPRIVILEGED_USER_UID:?}"/
+chown -R "${UNPRIVILEGED_USER_NAME:?}:" /run/user/"${UNPRIVILEGED_USER_UID:?}"/
+
+# Set unprivileged user password
+printf '%s' "${UNPRIVILEGED_USER_NAME:?}:${UNPRIVILEGED_USER_PASSWORD:?}" | chpasswd
+unset UNPRIVILEGED_USER_PASSWORD
+
 # Dump environment variables
 export-env >> /etc/profile.d/env.sh
 
-# Copy /etc/skel/ to guest user home if empty
-GUEST_USER_HOME=$(getent passwd guest | cut -d: -f6)
-if [ -z "$(ls -A "${GUEST_USER_HOME}")" ]; then
-	cp -aT /etc/skel/ "${GUEST_USER_HOME}"
-	chown -R guest:guest "${GUEST_USER_HOME}"
-fi
-
 # Generate self-signed certificate
-if [ ! -f "${RDP_TLS_KEY_PATH}" ] || [ ! -f "${RDP_TLS_CERT_PATH}" ]; then
+if [ ! -f "${RDP_TLS_KEY_PATH:?}" ] || [ ! -f "${RDP_TLS_CERT_PATH:?}" ]; then
-	KEY_FILE=${RDP_TLS_KEY_PATH}
+	KEY_FILE=${RDP_TLS_KEY_PATH:?}
-	CRT_FILE=${RDP_TLS_CERT_PATH}
+	CRT_FILE=${RDP_TLS_CERT_PATH:?}
 	CSR_FILE=$(mktemp -u)
 
 	(umask 077 \
-		&& openssl genrsa -out "${KEY_FILE}" 2048 \
+		&& openssl genrsa -out "${KEY_FILE:?}" 2048 \
 	) >/dev/null
 
 	(umask 022 \
-		&& openssl req -new -subj "/CN=$(uname -n)" -key "${KEY_FILE}" -out "${CSR_FILE}" \
+		&& openssl req -new -subj "/CN=$(uname -n)" -key "${KEY_FILE:?}" -out "${CSR_FILE:?}" \
-		&& openssl x509 -req -days 3650 -signkey "${KEY_FILE}" -in "${CSR_FILE}" -out "${CRT_FILE}" \
+		&& openssl x509 -req -days 3650 -signkey "${KEY_FILE:?}" -in "${CSR_FILE:?}" -out "${CRT_FILE:?}" \
-		&& rm -f "${CSR_FILE}" \
+		&& rm -f "${CSR_FILE:?}" \
 	) >/dev/null
 fi