From 4c109106cb7f36be7e674da9916996c2838a2b51 Mon Sep 17 00:00:00 2001
From: Otto Seiskari <otto.seiskari@gmail.com>
Date: Tue, 21 Aug 2018 21:41:42 +0300
Subject: [PATCH] less privileges and other fixes

---
 Dockerfile                      | 15 +++++++++------
 files/start-openvpn-blocking.sh |  6 +++---
 files/start.sh                  |  3 +++
 files/{ => user.js.d}/user.js   |  6 ++++++
 run.sh                          |  2 +-
 5 files changed, 22 insertions(+), 10 deletions(-)
 rename files/{ => user.js.d}/user.js (50%)

diff --git a/Dockerfile b/Dockerfile
index 7510d02..6333a0d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,23 +1,26 @@
 FROM ubuntu:bionic
 
-RUN apt-get update && apt-get install -y firefox
+RUN apt-get update && apt-get install -y firefox \
+  curl sudo openvpn transmission \
+  && rm -rf /var/lib/apt/lists/*
+
 RUN export uid=1000 gid=1000 && \
     mkdir -p /home/user && \
     echo "user:x:${uid}:${gid}:User,,,:/home/user:/bin/bash" >> /etc/passwd && \
     echo "user:x:${uid}:" >> /etc/group && \
     chown ${uid}:${gid} -R /home/user
 
-RUN apt-get install -y openvpn
-RUN apt-get install -y curl sudo
-
+# Enable sudo (needed by openvpn, unfortunately)
 RUN echo "user ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/user && \
   chmod 0440 /etc/sudoers.d/user
 
 USER user
 
-COPY files/user.js /home/user/
+RUN mkdir -p /tmp/user.js.d/
+COPY files/user.js.d/* /tmp/user.js.d/
+RUN cat /tmp/user.js.d/* > /home/user/user.js
 COPY files/start.sh /home/user/
 COPY files/start-openvpn-blocking.sh /home/user/
 
 ENV HOME /home/user
-CMD /bin/bash /home/user/start.sh
+ENTRYPOINT ["/bin/bash", "/home/user/start.sh"]
diff --git a/files/start-openvpn-blocking.sh b/files/start-openvpn-blocking.sh
index 2eed457..662c777 100755
--- a/files/start-openvpn-blocking.sh
+++ b/files/start-openvpn-blocking.sh
@@ -1,11 +1,11 @@
 #!/bin/bash
-set -eux -o pipefail
+set -e -o pipefail
 
 CONF="$1"
-sudo openvpn "$CONF" > "$HOME/openvpn.log" &
+sudo openvpn "$CONF" | tee "$HOME/openvpn.log" &
 
 while [ `tail "$HOME/openvpn.log" | grep "Initialization Sequence Completed" | wc -l` == "0" ];
 do
-  # echo "still not done"
+  echo "... still waiting for OpenVPN to start"
   sleep 2
 done
diff --git a/files/start.sh b/files/start.sh
index 1544a39..3e501b6 100644
--- a/files/start.sh
+++ b/files/start.sh
@@ -15,6 +15,9 @@ else
   echo "no OpenVPN config"
 fi
 
+# revoke sudo privileges after OpenVPN start
+sudo rm /etc/sudoers.d/user
+
 if [ ! -z ${ASSERT_COUNTRY+x} ]; then
   IP_COUNTRY=`curl ifconfig.co/country`
   echo " ---------------------------------------------------------------"
diff --git a/files/user.js b/files/user.js.d/user.js
similarity index 50%
rename from files/user.js
rename to files/user.js.d/user.js
index f67bf3b..a2a444b 100644
--- a/files/user.js
+++ b/files/user.js.d/user.js
@@ -3,3 +3,9 @@
 // Firefox often crashes without this setting
 // https://askubuntu.com/questions/966332/firefox-56-0-64-bit-crashing-tabs-after-upgrade
 user_pref("browser.tabs.remote.autostart", false);
+
+// disable onboarding: you don't want to see the welcome message every time
+user_pref("browser.onboarding.enabled", false);
+
+// no tracking protection intro
+user_pref("privacy.trackingprotection.introCount", 100);
diff --git a/run.sh b/run.sh
index df4ca86..a23e698 100755
--- a/run.sh
+++ b/run.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 set -eux
 docker run -ti --rm -e DISPLAY \
-  --privileged \
+  --cap-add=NET_ADMIN --device /dev/net/tun \
   -v /tmp/.X11-unix:/tmp/.X11-unix \
   -v `pwd`/openvpn:/etc/openvpn \
   -v `pwd`/dbip:/home/user/dbip \