Drop privileges before starting server

- Create 'minecraft' user account within image.
- Drop to 'minecraft' user before starting server.

minecraft-server/Dockerfile

@@ -7,10 +7,12 @@ RUN update-alternatives --install /usr/bin/js js /usr/bin/js24 100
 
 RUN wget -O /usr/bin/jsawk https://github.com/micha/jsawk/raw/master/jsawk
 RUN chmod +x /usr/bin/jsawk
+RUN useradd -M -s /bin/false minecraft
 
 EXPOSE 25565
 
 ADD start.sh /start
+ADD start-minecraft.sh /start-minecraft
 
 VOLUME ['/data']
 ADD server.properties /tmp/server.properties

minecraft-server/start-minecraft.sh

@@ -0,0 +1,49 @@
+#!/bin/sh
+
+case $VERSION in
+  LATEST)
+    export VERSION=`wget -O - https://s3.amazonaws.com/Minecraft.Download/versions/versions.json | jsawk -n 'out(this.latest.release)'`
+    ;;
+
+  SNAPSHOT)
+    export VERSION=`wget -O - https://s3.amazonaws.com/Minecraft.Download/versions/versions.json | jsawk -n 'out(this.latest.snapshot)'`
+    ;;
+esac
+
+cd /data
+
+if [ ! -e minecraft_server.$VERSION.jar ]; then
+  echo "Downloading minecraft_server.$VERSION.jar ..."
+  wget -q https://s3.amazonaws.com/Minecraft.Download/versions/$VERSION/minecraft_server.$VERSION.jar
+fi
+
+if [ ! -e server.properties ]; then
+  cp /tmp/server.properties .
+fi
+
+if [ -n "$MOTD" ]; then
+  sed -i "/motd\s*=/ c motd=$MOTD" /data/server.properties
+fi
+if [ -n "$LEVEL" ]; then
+  sed -i "/level-name\s*=/ c level-name=$LEVEL" /data/server.properties
+fi
+if [ -n "$OPS" ]; then
+  echo $OPS | awk -v RS=, '{print}' >> ops.txt
+fi
+
+if [ ! -e /data/eula.txt ]; then
+  if [ "$EULA" != "" ]; then
+    echo "# Generated via Docker on $(date)" > eula.txt
+    echo "eula=$EULA" >> eula.txt
+  else
+    echo ""
+    echo "Please accept the Minecraft EULA at"
+    echo "  https://account.mojang.com/documents/minecraft_eula"
+    echo "by adding the following immediately after 'docker run':"
+    echo "  -e EULA=TRUE"
+    echo ""
+    exit 1
+  fi
+fi
+
+java $JVM_OPTS -jar minecraft_server.$VERSION.jar

minecraft-server/start.sh

@@ -1,49 +1,4 @@
 #!/bin/sh
-
-case $VERSION in
-  LATEST)
-    export VERSION=`wget -O - https://s3.amazonaws.com/Minecraft.Download/versions/versions.json | jsawk -n 'out(this.latest.release)'`
-    ;;
-
-  SNAPSHOT)
-    export VERSION=`wget -O - https://s3.amazonaws.com/Minecraft.Download/versions/versions.json | jsawk -n 'out(this.latest.snapshot)'`
-    ;;
-esac
-
-cd /data
-
-if [ ! -e minecraft_server.$VERSION.jar ]; then
-  echo "Downloading minecraft_server.$VERSION.jar ..."
-  wget -q https://s3.amazonaws.com/Minecraft.Download/versions/$VERSION/minecraft_server.$VERSION.jar
-fi
-
-if [ ! -e server.properties ]; then
-  cp /tmp/server.properties .
-fi
-
-if [ -n "$MOTD" ]; then
-  sed -i "/motd\s*=/ c motd=$MOTD" /data/server.properties
-fi
-if [ -n "$LEVEL" ]; then
-  sed -i "/level-name\s*=/ c level-name=$LEVEL" /data/server.properties
-fi
-if [ -n "$OPS" ]; then
-  echo $OPS | awk -v RS=, '{print}' >> ops.txt
-fi
-
-if [ ! -e /data/eula.txt ]; then
-  if [ "$EULA" != "" ]; then
-    echo "# Generated via Docker on $(date)" > eula.txt
-    echo "eula=$EULA" >> eula.txt
-  else
-    echo ""
-    echo "Please accept the Minecraft EULA at"
-    echo "  https://account.mojang.com/documents/minecraft_eula"
-    echo "by adding the following immediately after 'docker run':"
-    echo "  -e EULA=TRUE"
-    echo ""
-    exit 1
-  fi
-fi
-
-java $JVM_OPTS -jar minecraft_server.$VERSION.jar
+set -e
+chown -R minecraft:minecraft /data
+exec su -s /bin/bash -c /start-minecraft minecraft