From 3fb10baedf5b620b7d5c8763cdd55b86ddd9a005 Mon Sep 17 00:00:00 2001
From: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
Date: Fri, 3 Jan 2025 22:54:52 +0000
Subject: [PATCH] Docker: run as non-root (#28849)

* Docker: allow configuration of HTTP listen port via env var

* Update docs/install.md

Co-authored-by: Michael Telatynski <7t3chguy@gmail.com>

* prettier

* Docker: run as non-root

* Simplify sed incantation

---------

Co-authored-by: Michael Telatynski <7t3chguy@gmail.com>
---
 Dockerfile      | 12 +++++++++++-
 docs/install.md |  6 ++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 3cab540bb77..93d7c676d9f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 # Builder
-FROM --platform=$BUILDPLATFORM node:22-bullseye as builder
+FROM --platform=$BUILDPLATFORM node:22-bullseye AS builder
 
 # Support custom branch of the js-sdk. This also helps us build images of element-web develop.
 ARG USE_CUSTOM_SDKS=false
@@ -25,8 +25,18 @@ COPY --from=builder /src/webapp /app
 # through `envsubst` by the nginx docker image entry point.
 COPY /docker/nginx-templates/* /etc/nginx/templates/
 
+# Tell nginx to put its pidfile elsewhere, so it can run as non-root
+RUN sed -i -e 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf
+
+# nginx user must own the cache and etc directory to write cache and tweak the nginx config
+RUN chown -R nginx:0 /var/cache/nginx /etc/nginx
+RUN chmod -R g+w /var/cache/nginx /etc/nginx
+
 RUN rm -rf /usr/share/nginx/html \
   && ln -s /app /usr/share/nginx/html
 
+# Run as nginx user by default
+USER nginx
+
 # HTTP listen port
 ENV ELEMENT_WEB_PORT=80
diff --git a/docs/install.md b/docs/install.md
index 7830324ffc5..f6bd98611cb 100644
--- a/docs/install.md
+++ b/docs/install.md
@@ -60,6 +60,12 @@ would be:
 docker run --rm -p 127.0.0.1:80:80 -v /etc/element-web/config.json:/app/config.json vectorim/element-web
 ```
 
+The Docker image is configured to run as an unprivileged (non-root) user by
+default. This should be fine on modern Docker runtimes, but binding to port 80
+on other runtimes may require root privileges. To resolve this, either run the
+image as root (`docker run --user 0`) or, better, change the port that nginx
+listens on via the `ELEMENT_WEB_PORT` environment variable.
+
 The behaviour of the docker image can be customised via the following
 environment variables: