Unprivileged image fixes for NGINX App Protect (#174)

fabriziofiorucci · web-flow · commit 90002ca40a8a · 2025-01-23T08:05:12.000-09:00
Unprivileged image fixes
diff --git a/nginx-docker-builder/Dockerfile.plus.unprivileged b/nginx-docker-builder/Dockerfile.plus.unprivileged
@@ -31,7 +31,11 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644
 	&& printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect/debian `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-app-protect.list \
 	&& printf "deb [signed-by=/usr/share/keyrings/app-protect-security-updates.gpg] https://pkgs.nginx.com/app-protect-security-updates/debian `lsb_release -cs` nginx-plus\n" >> /etc/apt/sources.list.d/nginx-app-protect.list \
 	&& apt-get -y update \
-	&& apt-get -y install app-protect app-protect-attack-signatures; fi \
+	&& apt-get -y install app-protect app-protect-attack-signatures \
+        && chown $UID:0 /opt \
+        && chmod g+w /opt \
+        && chown -R $UID:0 /opt/app_protect \
+        && chmod -R g+w /opt/app_protect; fi \
 # Forward request logs to Docker log collector
 	&& ln -sf /dev/stdout /var/log/nginx/access.log \
 	&& ln -sf /dev/stderr /var/log/nginx/error.log \
@@ -40,7 +44,16 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644
         curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor > /usr/share/keyrings/nginx-archive-keyring.gpg \
         && echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://packages.nginx.org/nginx-agent/debian/ `lsb_release -cs` agent" > /etc/apt/sources.list.d/nginx-agent.list \
         && apt-get -y update \
-        && apt-get -y install nginx-agent; fi
+        && apt-get -y install nginx-agent \
+# implement changes required to run NGINX Agent as an unprivileged user
+        && chown -R $UID:0 /etc/nginx-agent \
+        && chmod -R g+w /etc/nginx-agent \
+        && chown -R $UID:0 /var/lib/nginx-agent \
+        && chmod -R g+w /var/lib/nginx-agent \
+        && chown -R $UID:0 /var/log/nginx-agent \
+        && chmod -R g+w /var/log/nginx-agent \
+        && chown -R $UID:0 /var/run/nginx-agent \
+        && chmod -R g+w /var/run/nginx-agent; fi
 
 # implement changes required to run NGINX as an unprivileged user
 RUN rm /etc/nginx/conf.d/default.conf \
@@ -55,11 +68,7 @@ RUN rm /etc/nginx/conf.d/default.conf \
     && chown -R $UID:0 /usr/lib/nginx/modules \
     && chmod -R g+w /usr/lib/nginx/modules \
     && chown -R $UID:0 /etc/nms \
-    && chmod -R g+w /etc/nms \
-    && chown -R $UID:0 /etc/nginx-agent \
-    && chmod -R g+w /etc/nginx-agent \
-    && chown -R $UID:0 /var/lib/nginx-agent \
-    && chmod -R g+w /var/lib/nginx-agent
+    && chmod -R g+w /etc/nms
 
 # Startup script
 COPY ./container/start.sh /deployment/
diff --git a/nginx-docker-builder/container/start.sh b/nginx-docker-builder/container/start.sh
@@ -57,18 +57,27 @@ fi
 if [[ "$NAP_WAF" == "true" ]]; then
   export FQDN=127.0.0.1
 
-  yq -i '
-    .nap_monitoring.collector_buffer_size=50000 |
-    .nap_monitoring.processor_buffer_size=50000 |
-    .nap_monitoring.syslog_ip=strenv(FQDN) |
-    .nap_monitoring.syslog_port=514 |
-    .extensions += ["nginx-app-protect","nap-monitoring"]
-    ' /etc/nginx-agent/nginx-agent.conf
-
   if [[ "$IS_UNPRIVILEGED" ]]; then
     /opt/app_protect/bin/bd_agent &
     /usr/share/ts/bin/bd-socket-plugin tmm_count 4 proc_cpuinfo_cpu_mhz 2000000 total_xml_memory 471859200 total_umu_max_size 3129344 sys_max_account_id 1024 no_static_config &
+
+    yq -i '
+      .nap_monitoring.collector_buffer_size=50000 |
+      .nap_monitoring.processor_buffer_size=50000 |
+      .nap_monitoring.syslog_ip=strenv(FQDN) |
+      .nap_monitoring.syslog_port=10514 |
+      .extensions += ["nginx-app-protect","nap-monitoring"]
+      ' /etc/nginx-agent/nginx-agent.conf
+
   else
+    yq -i '
+      .nap_monitoring.collector_buffer_size=50000 |
+      .nap_monitoring.processor_buffer_size=50000 |
+      .nap_monitoring.syslog_ip=strenv(FQDN) |
+      .nap_monitoring.syslog_port=514 |
+      .extensions += ["nginx-app-protect","nap-monitoring"]
+      ' /etc/nginx-agent/nginx-agent.conf
+
     su - nginx -s /bin/bash -c "/opt/app_protect/bin/bd_agent &"
     su - nginx -s /bin/bash -c "/usr/share/ts/bin/bd-socket-plugin tmm_count 4 proc_cpuinfo_cpu_mhz 2000000 total_xml_memory 471859200 total_umu_max_size 3129344 sys_max_account_id 1024 no_static_config &"
   fi
