From f760c77c300bb4286b9940155690a9447d69b97e Mon Sep 17 00:00:00 2001
From: Roelf Wichertjes <contact@roelf.org>
Date: Tue, 22 Mar 2022 15:44:00 +0100
Subject: [PATCH] Drop privileges.

---
 Dockerfile    | 2 --
 entrypoint.sh | 4 +++-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 9b4028d..a041e7d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,8 +12,6 @@ RUN chown nobody:nogroup /data
 COPY mover.sh /mover.sh
 COPY entrypoint.sh /entrypoint.sh
 
-# Switch user
-USER nobody
 WORKDIR /tmp
 
 ENTRYPOINT [ "/tini", "--", "/entrypoint.sh" ]
diff --git a/entrypoint.sh b/entrypoint.sh
index 45113e1..c61965a 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -9,11 +9,13 @@ export INCOMING="${INCOMING:-${SHARED_WARCS_DIR}/incoming/}"
 export UPLOAD_QUEUE="${UPLOAD_QUEUE:-${SHARED_WARCS_DIR}/upload-queue/}"
 
 mkdir -pv "${INCOMING}"
+chown nobody:nogroup "${INCOMING}"
 mkdir -pv "${UPLOAD_QUEUE}"
+chown nobody:nogroup "${UPLOAD_QUEUE}"
 
 case "$1" in
 	"mover")
-		/mover.sh
+		setpriv --reuid=nobody --regid=nogroup --init-groups --inh-caps=-all /mover.sh
 		;;
 
 esac