From 86176ff770eb2efbae0bb2d84cc56b533d910118 Mon Sep 17 00:00:00 2001
From: Mathias <mathias@mediamixx.de>
Date: Thu, 25 Jun 2020 17:51:29 +0200
Subject: [PATCH 1/2] GUACAMOLE-1110: Shrinks container footprint, higher
 security and reliability check

Dockage image size will reduced by install only package dependencies (without recommendations). The guacd process runs as a non-privileged user and will be checked by netcat.
---
 Dockerfile | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 83bce0fb..c5e2edb8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -90,6 +90,7 @@ ENV LD_LIBRARY_PATH=${PREFIX_DIR}/lib
 ENV GUACD_LOG_LEVEL=info
 
 ARG RUNTIME_DEPENDENCIES="            \
+        netcat-openbsd                \
         ca-certificates               \
         ghostscript                   \
         fonts-liberation              \
@@ -100,15 +101,21 @@ ARG RUNTIME_DEPENDENCIES="            \
 COPY --from=builder ${PREFIX_DIR} ${PREFIX_DIR}
 
 # Bring runtime environment up to date and install runtime dependencies
-RUN apt-get update                                          && \
-    apt-get install -y $RUNTIME_DEPENDENCIES                && \
-    apt-get install -y $(cat "${PREFIX_DIR}"/DEPENDENCIES)  && \
+RUN apt-get update                                                                  && \
+    apt-get install -y --no-install-recommends $RUNTIME_DEPENDENCIES                && \
+    apt-get install -y --no-install-recommends $(cat "${PREFIX_DIR}"/DEPENDENCIES)  && \
     rm -rf /var/lib/apt/lists/*
 
 # Link FreeRDP plugins into proper path
 RUN ${PREFIX_DIR}/bin/link-freerdp-plugins.sh \
         ${PREFIX_DIR}/lib/freerdp2/libguac*.so
 
+# Checks the operating status every 5 minutes with a timeout of 5 seconds
+HEALTHCHECK --interval=5m --timeout=5s CMD nc -z 127.0.0.1 4822 || exit 1
+
+# Run with user nobody
+USER nobody
+
 # Expose the default listener port
 EXPOSE 4822
 

From 7d06113cbeb21f421ae048b0f445123a480bb072 Mon Sep 17 00:00:00 2001
From: Mathias <mathias@mediamixx.de>
Date: Tue, 30 Jun 2020 12:41:35 +0200
Subject: [PATCH 2/2] GUACAMOLE-1110: Replace user nobody with guacd

---
 Dockerfile | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index c5e2edb8..934ba835 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -113,8 +113,12 @@ RUN ${PREFIX_DIR}/bin/link-freerdp-plugins.sh \
 # Checks the operating status every 5 minutes with a timeout of 5 seconds
 HEALTHCHECK --interval=5m --timeout=5s CMD nc -z 127.0.0.1 4822 || exit 1
 
-# Run with user nobody
-USER nobody
+# Create a new user guacd
+ARG UID=1000
+RUN useradd --system --create-home --shell /usr/sbin/nologin --uid $UID --no-user-group guacd
+
+# Run with user guacd
+USER guacd
 
 # Expose the default listener port
 EXPOSE 4822