From bd2ed7716c04b2f2cc984970439ba2107dab4841 Mon Sep 17 00:00:00 2001
From: prixod <prixod.il2000@yandex.ru>
Date: Mon, 1 Dec 2025 02:26:17 +0400
Subject: [PATCH] fix privileges

---
 compose.yaml                            | 14 ++++----------
 src/LiquidCode.Tester.Worker/Dockerfile | 12 ++++--------
 2 files changed, 8 insertions(+), 18 deletions(-)

diff --git a/compose.yaml b/compose.yaml
index a606e5c..d4933c2 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -26,6 +26,7 @@
 
   worker:
     image: liquidcode-tester-worker:latest
+    privileged: true
     container_name: liquidcode-tester-worker
     build:
       context: .
@@ -36,16 +37,9 @@
       - ASPNETCORE_ENVIRONMENT=Development
     networks:
       - liquidcode-network
-    # Security hardening for Worker
-    security_opt:
-      - no-new-privileges:true
-      - apparmor=docker-default
-    cap_drop:
-      - ALL
-    cap_add:
-      - SYS_ADMIN  # Required for Isolate namespaces
-      - SETUID     # Required for Isolate to change user context
-      - SETGID     # Required for Isolate to change group context
+    # Mount cgroup for Isolate sandbox
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
     # Temporary filesystem for compilation and testing
     tmpfs:
       - /tmp:exec,size=4G
diff --git a/src/LiquidCode.Tester.Worker/Dockerfile b/src/LiquidCode.Tester.Worker/Dockerfile
index d16b3e3..2130ca2 100644
--- a/src/LiquidCode.Tester.Worker/Dockerfile
+++ b/src/LiquidCode.Tester.Worker/Dockerfile
@@ -82,10 +82,8 @@ RUN apt-get update && \
     && rm -rf /var/lib/apt/lists/*
 
 # Create unprivileged user for running the worker service
-RUN useradd -m -u 1001 -s /bin/bash workeruser && \
-    mkdir -p /var/local/lib/isolate && \
-    chmod 755 /var/local/lib/isolate && \
-    chown -R workeruser:workeruser /var/local/lib/isolate
+RUN mkdir -p /var/local/lib/isolate && \
+    chmod 755 /var/local/lib/isolate
 
 # Configure isolate directories and control-group root
 RUN printf "box_root = /var/local/lib/isolate\nlock_root = /run/isolate/locks\ncg_root = /sys/fs/cgroup\nfirst_uid = 60000\nfirst_gid = 60000\nnum_boxes = 1000\n" > /usr/local/etc/isolate.conf && \
@@ -96,13 +94,11 @@ RUN printf "box_root = /var/local/lib/isolate\nlock_root = /run/isolate/locks\nc
 COPY --from=publish /app/publish .
 
 # Create temp directory for compilation and testing with proper permissions
-RUN mkdir -p /tmp/testing && \
-    chown -R workeruser:workeruser /tmp/testing && \
-    chown -R workeruser:workeruser /app
+RUN mkdir -p /tmp/testing
 
 ENV ASPNETCORE_URLS=http://+:8080
 
 # Switch to unprivileged user
-USER workeruser
+#USER workeruser
 
 ENTRYPOINT ["dotnet", "LiquidCode.Tester.Worker.dll"]