[Buildroot] [PATCH] support/docker/Dockerfile: make $HOME folder read-only
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Fri Dec 26 14:59:59 UTC 2025
The $HOME folder of the br-user inside the container is currently
read-write for the br-user. However, practically speaking, it is only
read-write when the UID of the user running the container from the
host machine is 1000, equal to the UID of the br-user inside the
container. For any other UID on the host machine, the $HOME folder is
in fact already read-only.
Because we do not expect Buildroot to write into $HOME, and in order
to have a consistent behavior regardless of the UID of the user on the
host machine, we change our Docker image to make the $HOME folder of
the br-user entirely non-writable.
Suggested-by: Peter Korsgaard <peter at korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
---
Of course, once this is accepted, follow-up patches will be submitted
to update our reference Docker image.
---
support/docker/Dockerfile | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/support/docker/Dockerfile b/support/docker/Dockerfile
index e7677ac6a9..cb3fdba151 100644
--- a/support/docker/Dockerfile
+++ b/support/docker/Dockerfile
@@ -92,6 +92,10 @@ RUN sed -i 's/# \(en_US.UTF-8\)/\1/' /etc/locale.gen && \
RUN useradd -ms /bin/bash br-user && \
chown -R br-user:br-user /home/br-user
+# Make the br-user home directory not writable, even for br-user
+# itself, to catch builds writing into $HOME
+RUN chmod 555 /home/br-user
+
USER br-user
WORKDIR /home/br-user
ENV HOME=/home/br-user
--
2.52.0
More information about the buildroot
mailing list