From 998a5882765d3726fbf4a9aeb54a07bdfd9090b3 Mon Sep 17 00:00:00 2001
From: Le Yao <le.yao@intel.com>
Date: Tue, 1 Dec 2020 05:40:01 +0000
Subject: [PATCH] Create Non-root user in CNF

Create a non-root user wrt with privilege in CNF

Signed-off-by: Le Yao <le.yao@intel.com>
Change-Id: I083ef1fa6ea5853bb2e9eb0320c4b6a2d7034e5e
---
 platform/cnf/src/Dockerfile_1806_mwan3.tpl         | 7 ++++++-
 platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl | 7 ++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/platform/cnf/src/Dockerfile_1806_mwan3.tpl b/platform/cnf/src/Dockerfile_1806_mwan3.tpl
index 12142f7..b5194b1 100644
--- a/platform/cnf/src/Dockerfile_1806_mwan3.tpl
+++ b/platform/cnf/src/Dockerfile_1806_mwan3.tpl
@@ -10,6 +10,7 @@ RUN mkdir /var/lock && \
     opkg install uhttpd-mod-lua && \
     uci set uhttpd.main.interpreter='.lua=/usr/bin/lua' && \
     uci commit uhttpd && \
+    opkg install shadow-useradd shadow-groupadd shadow-usermod sudo && \
     opkg install mwan3 jq bash && \
     opkg install strongswan-default && \
     opkg install luci-app-mwan3; exit 0
@@ -27,7 +28,11 @@ ENV http_proxy=
 ENV https_proxy=
 ENV no_proxy=
 
-USER root
+RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
+RUN groupadd --system sudo && useradd wrt
+RUN usermod -a -G sudo wrt
+
+USER wrt
 
 # using exec format so that /sbin/init is proc 1 (see procd docs)
 CMD ["/sbin/init"]
diff --git a/platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl b/platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl
index 692fc3c..97e162c 100644
--- a/platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl
+++ b/platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl
@@ -7,6 +7,7 @@ RUN mkdir /var/lock && \
     opkg install uhttpd-mod-lua && \
     uci set uhttpd.main.interpreter='.lua=/usr/bin/lua' && \
     uci commit uhttpd && \
+    opkg install shadow-useradd shadow-groupadd shadow-usermod sudo && \
     opkg install mwan3 jq bash && \
     opkg install strongswan-default && \
     opkg install luci-app-mwan3; exit 0
@@ -20,7 +21,11 @@ COPY default_firewall /etc/config/firewall
 COPY rest_v1 /usr/lib/lua/luci/controller/rest_v1
 COPY 10-default.conf /etc/sysctl.d/10-default.conf
 
-USER root
+RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
+RUN groupadd --system sudo && useradd wrt
+RUN usermod -a -G sudo wrt
+
+USER wrt
 
 # using exec format so that /sbin/init is proc 1 (see procd docs)
 CMD ["/sbin/init"]
-- 
2.16.6