From b9b2999225c8e8eab515ede8b4e743da77834a81 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=A9ctor=20Molinero=20Fern=C3=A1ndez?=
 <hector@molinero.dev>
Date: Sat, 14 Dec 2019 18:12:58 +0100
Subject: [PATCH] Create additional groups dynamically

---
 Dockerfile.m4                        |  8 ++++----
 README.md                            |  2 +-
 scripts/bin/container-foreground-cmd | 11 ++++++++++-
 3 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/Dockerfile.m4 b/Dockerfile.m4
index c6be2fe..03af534 100644
--- a/Dockerfile.m4
+++ b/Dockerfile.m4
@@ -400,7 +400,7 @@ ENV UNPRIVILEGED_USER_UID=1000
 ENV UNPRIVILEGED_USER_GID=1000
 ENV UNPRIVILEGED_USER_NAME=guest
 ENV UNPRIVILEGED_USER_PASSWORD=password
-ENV UNPRIVILEGED_USER_GROUPS=audio,input,video
+ENV UNPRIVILEGED_USER_GROUPS=
 ENV UNPRIVILEGED_USER_SHELL=/bin/bash
 ENV RDP_TLS_KEY_PATH=/etc/xrdp/key.pem
 ENV RDP_TLS_CERT_PATH=/etc/xrdp/cert.pem
@@ -433,6 +433,9 @@ RUN ln -sf /dev/stdout /var/log/xdummy.log
 RUN ln -sf /dev/stdout /var/log/xrdp.log
 RUN ln -sf /dev/stdout /var/log/xrdp-sesman.log
 
+# Create /run/sshd/ directory
+RUN mkdir /run/sshd/
+
 # Create /etc/skel/.xsession file
 RUN printf '%s\n' 'exec xfce4-session' > /etc/skel/.xsession
 
@@ -452,9 +455,6 @@ RUN printf '%s\n' \
 # Create /etc/skel/.Xauthority file
 RUN touch /etc/skel/.Xauthority
 
-# Create /run/sshd directory
-RUN mkdir /run/sshd/
-
 # Create socket directory for X server
 RUN mkdir /tmp/.X11-unix/ \
 	&& chmod 1777 /tmp/.X11-unix/ \
diff --git a/README.md b/README.md
index 5a2ca10..b07507a 100644
--- a/README.md
+++ b/README.md
@@ -30,7 +30,7 @@ required for VirtualGL will conflict with the host X server.
 * `UNPRIVILEGED_USER_GID`: unprivileged user GID (`1000` by default).
 * `UNPRIVILEGED_USER_NAME`: unprivileged user name (`guest` by default).
 * `UNPRIVILEGED_USER_PASSWORD`: unprivileged user password (`password` by default).
-* `UNPRIVILEGED_USER_GROUPS`: unprivileged user groups (`audio,input,video` by default).
+* `UNPRIVILEGED_USER_GROUPS`: comma-separated list of additional GIDs for the unprivileged user (none by default).
 * `UNPRIVILEGED_USER_SHELL`: unprivileged user shell (`/bin/bash` by default).
 * `ENABLE_SSHD`: enable SSH server in the container (`false` by default).
 * `ENABLE_VIRTUALGL`: enable VirtualGL support in the container (`false` by default).
diff --git a/scripts/bin/container-foreground-cmd b/scripts/bin/container-foreground-cmd
index 2156d7c..a9cd4ca 100755
--- a/scripts/bin/container-foreground-cmd
+++ b/scripts/bin/container-foreground-cmd
@@ -2,6 +2,15 @@
 
 set -eu
 
+# Create additional groups
+_IFS=${IFS}; IFS=,
+for gid in ${UNPRIVILEGED_USER_GROUPS?}; do
+	if ! getent group "${gid:?}" >/dev/null 2>&1; then
+		groupadd -g "${gid:?}" "g_${gid:?}"
+	fi
+done
+IFS=$_IFS
+
 # Create unprivileged user and group
 groupadd \
 	--gid "${UNPRIVILEGED_USER_GID:?}" \
@@ -9,7 +18,7 @@ groupadd \
 useradd \
 	--uid "${UNPRIVILEGED_USER_UID:?}" \
 	--gid "${UNPRIVILEGED_USER_GID:?}" \
-	--groups "${UNPRIVILEGED_USER_GROUPS:?}" \
+	--groups "${UNPRIVILEGED_USER_GROUPS?}" \
 	--shell "${UNPRIVILEGED_USER_SHELL:?}" \
 	--create-home \
 	"${UNPRIVILEGED_USER_NAME:?}"