From 801beafe69d1785b4fad5170a8a62b3c035b3887 Mon Sep 17 00:00:00 2001
From: Alexey Pustovalov <alexey.pustovalov@zabbix.com>
Date: Sat, 19 Dec 2020 12:24:40 -0500
Subject: [PATCH] Review zabbix user and group configuration

---
 agent/rhel/Dockerfile           |  9 ++++++---
 agent2/alpine/Dockerfile        | 14 +++++++++-----
 agent2/rhel/Dockerfile          |  9 ++++++---
 java-gateway/rhel/Dockerfile    |  9 ++++++---
 proxy-mysql/rhel/Dockerfile     |  9 ++++++---
 proxy-sqlite3/rhel/Dockerfile   |  9 ++++++---
 server-mysql/rhel/Dockerfile    | 11 +++++++----
 web-nginx-mysql/rhel/Dockerfile |  9 ++++++---
 8 files changed, 52 insertions(+), 27 deletions(-)

diff --git a/agent/rhel/Dockerfile b/agent/rhel/Dockerfile
index 30612f846..775e44789 100644
--- a/agent/rhel/Dockerfile
+++ b/agent/rhel/Dockerfile
@@ -49,10 +49,13 @@ RUN set -eux && INSTALL_PKGS="bash \
         --security --sec-severity=Important --sec-severity=Critical && \
     dnf -y install --disablerepo "*" --enablerepo "${REPOLIST}" --setopt=install_weak_deps=False --best \
         --setopt=tsflags=nodocs ${INSTALL_PKGS} && \
-    groupadd -g 1995 --system zabbix && \
-    adduser -r --shell /sbin/nologin \
+    groupadd --system --gid 1995 zabbix && \
+    useradd \
+            --system --comment "Zabbix monitoring system" \
             -g zabbix -G root \
-            -d /var/lib/zabbix/ -u 1997 \
+            --uid 1997 \
+            --shell /sbin/nologin \
+            --home-dir /var/lib/zabbix/ \
         zabbix && \
     mkdir -p /etc/zabbix && \
     mkdir -p /etc/zabbix/zabbix_agentd.d && \
diff --git a/agent2/alpine/Dockerfile b/agent2/alpine/Dockerfile
index c792d8b89..96e300c8d 100644
--- a/agent2/alpine/Dockerfile
+++ b/agent2/alpine/Dockerfile
@@ -10,12 +10,16 @@ LABEL org.opencontainers.image.title="Zabbix agent 2" \
 STOPSIGNAL SIGTERM
 
 RUN set -eux && \
-    addgroup -S -g 1995 zabbix && \
-    adduser -S \
-            -D -G zabbix -G root \
-            -u 1997 \
-            -h /var/lib/zabbix/ \
+    addgroup --system --gid 1995 zabbix && \
+    adduser --system \
+            --gecos "Zabbix monitoring system" \
+            --disabled-password \
+            --uid 1997 \
+            --ingroup zabbix \
+            --shell /sbin/nologin \
+            --home /var/lib/zabbix/ \
         zabbix && \
+    adduser zabbix root && \
     mkdir -p /etc/zabbix && \
     mkdir -p /etc/zabbix/zabbix_agentd.d && \
     mkdir -p /var/lib/zabbix && \
diff --git a/agent2/rhel/Dockerfile b/agent2/rhel/Dockerfile
index 324331666..5c749ce91 100644
--- a/agent2/rhel/Dockerfile
+++ b/agent2/rhel/Dockerfile
@@ -49,10 +49,13 @@ RUN set -eux && INSTALL_PKGS="bash \
         --security --sec-severity=Important --sec-severity=Critical && \
     dnf -y install --disablerepo "*" --enablerepo "${REPOLIST}" --setopt=install_weak_deps=False --best \
         --setopt=tsflags=nodocs ${INSTALL_PKGS} && \
-    groupadd -g 1995 --system zabbix && \
-    adduser -r --shell /sbin/nologin \
+    groupadd --system --gid 1995 zabbix && \
+    useradd \
+            --system --comment "Zabbix monitoring system" \
             -g zabbix -G root \
-            -d /var/lib/zabbix/ -u 1997 \
+            --uid 1997 \
+            --shell /sbin/nologin \
+            --home-dir /var/lib/zabbix/ \
         zabbix && \
     mkdir -p /etc/zabbix && \
     mkdir -p /etc/zabbix/zabbix_agentd.d && \
diff --git a/java-gateway/rhel/Dockerfile b/java-gateway/rhel/Dockerfile
index 2656f4310..521fa1875 100644
--- a/java-gateway/rhel/Dockerfile
+++ b/java-gateway/rhel/Dockerfile
@@ -45,10 +45,13 @@ RUN set -eux && INSTALL_PKGS="bash \
         --security --sec-severity=Important --sec-severity=Critical && \
     dnf -y install --disablerepo "*" --enablerepo "${REPOLIST}" --setopt=install_weak_deps=False --best \
         --setopt=tsflags=nodocs ${INSTALL_PKGS} && \
-    groupadd -g 1995 --system zabbix && \
-    adduser -r --shell /sbin/nologin \
+    groupadd --system --gid 1995 zabbix && \
+    useradd \
+            --system --comment "Zabbix monitoring system" \
             -g zabbix -G root \
-            -d /var/lib/zabbix/ -u 1997 \
+            --uid 1997 \
+            --shell /sbin/nologin \
+            --home-dir /var/lib/zabbix/ \
         zabbix && \
     mkdir -p /etc/zabbix/ && \
     mkdir -p /usr/sbin/zabbix_java/ && \
diff --git a/proxy-mysql/rhel/Dockerfile b/proxy-mysql/rhel/Dockerfile
index 66d8c4230..158581ded 100644
--- a/proxy-mysql/rhel/Dockerfile
+++ b/proxy-mysql/rhel/Dockerfile
@@ -61,10 +61,13 @@ RUN set -eux && INSTALL_PKGS="bash \
     dnf -y module enable mysql && \
     dnf -y install --disablerepo "*" --enablerepo "${REPOLIST}" --setopt=install_weak_deps=False --best \
         --setopt=tsflags=nodocs ${INSTALL_PKGS} && \
-    groupadd -g 1995 --system zabbix && \
-    adduser -r --shell /sbin/nologin \
+    groupadd --system --gid 1995 zabbix && \
+    useradd \
+            --system --comment "Zabbix monitoring system" \
             -g zabbix -G root \
-            -d /var/lib/zabbix/ -u 1997 \
+            --uid 1997 \
+            --shell /sbin/nologin \
+            --home-dir /var/lib/zabbix/ \
         zabbix && \
     mkdir -p /etc/zabbix && \
     mkdir -p /var/lib/zabbix && \
diff --git a/proxy-sqlite3/rhel/Dockerfile b/proxy-sqlite3/rhel/Dockerfile
index 500b47347..52d9d8ce7 100644
--- a/proxy-sqlite3/rhel/Dockerfile
+++ b/proxy-sqlite3/rhel/Dockerfile
@@ -59,10 +59,13 @@ RUN set -eux && INSTALL_PKGS="bash \
     dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \
     dnf -y install --disablerepo "*" --enablerepo "${REPOLIST}" --setopt=install_weak_deps=False --best \
         --setopt=tsflags=nodocs ${INSTALL_PKGS} && \
-    groupadd -g 1995 --system zabbix && \
-    adduser -r --shell /sbin/nologin \
+    groupadd --system --gid 1995 zabbix && \
+    useradd \
+            --system --comment "Zabbix monitoring system" \
             -g zabbix -G root \
-            -d /var/lib/zabbix/ -u 1997 \
+            --uid 1997 \
+            --shell /sbin/nologin \
+            --home-dir /var/lib/zabbix/ \
         zabbix && \
     mkdir -p /etc/zabbix && \
     mkdir -p /var/lib/zabbix && \
diff --git a/server-mysql/rhel/Dockerfile b/server-mysql/rhel/Dockerfile
index 621f34b34..ce3231071 100644
--- a/server-mysql/rhel/Dockerfile
+++ b/server-mysql/rhel/Dockerfile
@@ -62,10 +62,13 @@ RUN set -eux && INSTALL_PKGS="bash \
     dnf -y module enable mysql && \
     dnf -y install --disablerepo "*" --enablerepo "${REPOLIST}" --setopt=install_weak_deps=False --best \
         --setopt=tsflags=nodocs ${INSTALL_PKGS} && \
-    groupadd -g 1995 --system zabbix && \
-    adduser -r --shell /sbin/nologin \
-            -g zabbix -G dialout -G root \
-            -d /var/lib/zabbix/ -u 1997 \
+    groupadd --system --gid 1995 zabbix && \
+    useradd \
+            --system --comment "Zabbix monitoring system" \
+            -g zabbix -G root \
+            --uid 1997 \
+            --shell /sbin/nologin \
+            --home-dir /var/lib/zabbix/ \
         zabbix && \
     mkdir -p /etc/zabbix && \
     mkdir -p /var/lib/zabbix && \
diff --git a/web-nginx-mysql/rhel/Dockerfile b/web-nginx-mysql/rhel/Dockerfile
index 9dfbb21c4..a41b83ab3 100644
--- a/web-nginx-mysql/rhel/Dockerfile
+++ b/web-nginx-mysql/rhel/Dockerfile
@@ -61,10 +61,13 @@ RUN set -eux && INSTALL_PKGS="bash \
         --setopt=tsflags=nodocs ${INSTALL_PKGS} && \
     pip3 install supervisor && \
     ln -s /usr/local/bin/supervisord /usr/bin/supervisord && \
-    groupadd -g 1995 --system zabbix && \
-    adduser -r --shell /sbin/nologin \
+    groupadd --system --gid 1995 zabbix && \
+    useradd \
+            --system --comment "Zabbix monitoring system" \
             -g zabbix -G root \
-            -d /var/lib/zabbix/ -u 1997 \
+            --uid 1997 \
+            --shell /sbin/nologin \
+            --home-dir /var/lib/zabbix/ \
         zabbix && \
     mkdir -p /etc/zabbix && \
     mkdir -p /etc/zabbix/web && \