Use ASF user account inside docker

ArchiSteamFarm/Core/OS.cs

@@ -166,13 +166,6 @@ namespace ArchiSteamFarm.Core {
 			return false;
 		}
 
-		internal static bool IsRunningInDocker() =>
-#if ASF_VARIANT_DOCKER
-			true;
-#else
-			Environment.GetEnvironmentVariable("DOTNET_RUNNING_IN_CONTAINER") == "true";
-#endif
-
 		internal static async Task<bool> RegisterProcess() {
 			if (SingleInstance != null) {
 				return false;

ArchiSteamFarm/Program.cs

@@ -220,7 +220,7 @@ namespace ArchiSteamFarm {
 					return false;
 				}
 
-				if (!OS.IsRunningInDocker() && OS.IsRunningAsRoot()) {
+				if (OS.IsRunningAsRoot()) {
 					ASF.ArchiLogger.LogGenericError(Strings.WarningRunningAsRoot);
 					await Task.Delay(SharedInfo.InformationDelay).ConfigureAwait(false);
 

ArchiSteamFarm/overlay/generic-netf/ArchiSteamFarm-Service.sh

@@ -63,6 +63,15 @@ for ARG in "$@"; do
 	fi
 done
 
+BINARY_PREFIX=""
+
+if [ -n "${ASF_USER-}" ] && [ "$(id -u)" -eq 0 ] && id -u "$ASF_USER" >/dev/null 2>&1; then
+	# Fix permissions first to ensure ASF has read/write access to the directory specified by --path and its own
+	chown -hR "${ASF_USER}:${ASF_USER}" . "$SCRIPT_DIR"
+
+	BINARY_PREFIX="su ${ASF_USER} -c"
+fi
+
 CONFIG_PATH="$(pwd)/${CONFIG_PATH}"
 
 # Kill underlying ASF process on shell process exit
@@ -78,11 +87,23 @@ mono --version
 while :; do
 	if [ -f "$CONFIG_PATH" ] && grep -Eq '"Headless":\s+?true' "$CONFIG_PATH"; then
 		# We're running ASF in headless mode so we don't need STDIN
-		mono ${MONO_ARGS-} "$BINARY" $BINARY_ARGS & # Start ASF in the background, trap will work properly due to non-blocking call
-		wait $! # This will forward mono error code, set -e will abort the script if it's non-zero
+		# Start ASF in the background, trap will work properly due to non-blocking call
+		if [ -n "$BINARY_PREFIX" ]; then
+			$BINARY_PREFIX "mono ${MONO_ARGS-} $BINARY $BINARY_ARGS" &
+		else
+			mono ${MONO_ARGS-} "$BINARY" $BINARY_ARGS &
+		fi
+
+		# This will forward mono error code, set -e will abort the script if it's non-zero
+		wait $!
 	else
 		# We're running ASF in non-headless mode, so we need STDIN to be operative
-		mono ${MONO_ARGS-} "$BINARY" $BINARY_ARGS # Start ASF in the foreground, trap sadly won't work until process exit
+		# Start ASF in the foreground, trap won't work until process exit
+		if [ -n "$BINARY_PREFIX" ]; then
+			$BINARY_PREFIX "mono ${MONO_ARGS-} $BINARY $BINARY_ARGS"
+		else
+			mono ${MONO_ARGS-} "$BINARY" $BINARY_ARGS
+		fi
 	fi
 
 	chmod +x "$SCRIPT_PATH" # If ASF exited by itself, we need to ensure that our script is still set to +x after auto-update

ArchiSteamFarm/overlay/generic-netf/ArchiSteamFarm.sh

@@ -63,6 +63,15 @@ for ARG in "$@"; do
 	fi
 done
 
+BINARY_PREFIX=""
+
+if [ -n "${ASF_USER-}" ] && [ "$(id -u)" -eq 0 ] && id -u "$ASF_USER" >/dev/null 2>&1; then
+	# Fix permissions first to ensure ASF has read/write access to the directory specified by --path and its own
+	chown -hR "${ASF_USER}:${ASF_USER}" . "$SCRIPT_DIR"
+
+	BINARY_PREFIX="su ${ASF_USER} -c"
+fi
+
 CONFIG_PATH="$(pwd)/${CONFIG_PATH}"
 
 # Kill underlying ASF process on shell process exit
@@ -77,11 +86,23 @@ mono --version
 
 if [ -f "$CONFIG_PATH" ] && grep -Eq '"Headless":\s+?true' "$CONFIG_PATH"; then
 	# We're running ASF in headless mode so we don't need STDIN
-	mono ${MONO_ARGS-} "$BINARY" $BINARY_ARGS & # Start ASF in the background, trap will work properly due to non-blocking call
-	wait $! # This will forward mono error code, set -e will abort the script if it's non-zero
+	# Start ASF in the background, trap will work properly due to non-blocking call
+	if [ -n "$BINARY_PREFIX" ]; then
+		$BINARY_PREFIX "mono ${MONO_ARGS-} $BINARY $BINARY_ARGS" &
+	else
+		mono ${MONO_ARGS-} "$BINARY" $BINARY_ARGS &
+	fi
+
+	# This will forward mono error code, set -e will abort the script if it's non-zero
+	wait $!
 else
 	# We're running ASF in non-headless mode, so we need STDIN to be operative
-	mono ${MONO_ARGS-} "$BINARY" $BINARY_ARGS # Start ASF in the foreground, trap won't work until process exit
+	# Start ASF in the foreground, trap won't work until process exit
+	if [ -n "$BINARY_PREFIX" ]; then
+		$BINARY_PREFIX "mono ${MONO_ARGS-} $BINARY $BINARY_ARGS"
+	else
+		mono ${MONO_ARGS-} "$BINARY" $BINARY_ARGS
+	fi
 fi
 
 chmod +x "$SCRIPT_PATH" # If ASF exited by itself, we need to ensure that our script is still set to +x after auto-update

ArchiSteamFarm/overlay/generic/ArchiSteamFarm-Service.sh

@@ -63,6 +63,15 @@ for ARG in "$@"; do
 	fi
 done
 
+BINARY_PREFIX=""
+
+if [ -n "${ASF_USER-}" ] && [ "$(id -u)" -eq 0 ] && id -u "$ASF_USER" >/dev/null 2>&1; then
+	# Fix permissions first to ensure ASF has read/write access to the directory specified by --path and its own
+	chown -hR "${ASF_USER}:${ASF_USER}" . "$SCRIPT_DIR"
+
+	BINARY_PREFIX="su ${ASF_USER} -c"
+fi
+
 CONFIG_PATH="$(pwd)/${CONFIG_PATH}"
 
 # Kill underlying ASF process on shell process exit
@@ -78,11 +87,23 @@ dotnet --info
 while :; do
 	if [ -f "$CONFIG_PATH" ] && grep -Eq '"Headless":\s+?true' "$CONFIG_PATH"; then
 		# We're running ASF in headless mode so we don't need STDIN
-		dotnet ${DOTNET_ARGS-} "$BINARY" $BINARY_ARGS & # Start ASF in the background, trap will work properly due to non-blocking call
-		wait $! # This will forward dotnet error code, set -e will abort the script if it's non-zero
+		# Start ASF in the background, trap will work properly due to non-blocking call
+		if [ -n "$BINARY_PREFIX" ]; then
+			$BINARY_PREFIX "dotnet ${DOTNET_ARGS-} $BINARY $BINARY_ARGS" &
+		else
+			dotnet ${DOTNET_ARGS-} "$BINARY" $BINARY_ARGS &
+		fi
+
+		# This will forward dotnet error code, set -e will abort the script if it's non-zero
+		wait $!
 	else
 		# We're running ASF in non-headless mode, so we need STDIN to be operative
-		dotnet ${DOTNET_ARGS-} "$BINARY" $BINARY_ARGS # Start ASF in the foreground, trap sadly won't work until process exit
+		# Start ASF in the foreground, trap won't work until process exit
+		if [ -n "$BINARY_PREFIX" ]; then
+			$BINARY_PREFIX "dotnet ${DOTNET_ARGS-} $BINARY $BINARY_ARGS"
+		else
+			dotnet ${DOTNET_ARGS-} "$BINARY" $BINARY_ARGS
+		fi
 	fi
 
 	chmod +x "$SCRIPT_PATH" # If ASF exited by itself, we need to ensure that our script is still set to +x after auto-update

ArchiSteamFarm/overlay/generic/ArchiSteamFarm.sh

@@ -63,6 +63,15 @@ for ARG in "$@"; do
 	fi
 done
 
+BINARY_PREFIX=""
+
+if [ -n "${ASF_USER-}" ] && [ "$(id -u)" -eq 0 ] && id -u "$ASF_USER" >/dev/null 2>&1; then
+	# Fix permissions first to ensure ASF has read/write access to the directory specified by --path and its own
+	chown -hR "${ASF_USER}:${ASF_USER}" . "$SCRIPT_DIR"
+
+	BINARY_PREFIX="su ${ASF_USER} -c"
+fi
+
 CONFIG_PATH="$(pwd)/${CONFIG_PATH}"
 
 # Kill underlying ASF process on shell process exit
@@ -77,11 +86,23 @@ dotnet --info
 
 if [ -f "$CONFIG_PATH" ] && grep -Eq '"Headless":\s+?true' "$CONFIG_PATH"; then
 	# We're running ASF in headless mode so we don't need STDIN
-	dotnet ${DOTNET_ARGS-} "$BINARY" $BINARY_ARGS & # Start ASF in the background, trap will work properly due to non-blocking call
-	wait $! # This will forward dotnet error code, set -e will abort the script if it's non-zero
+	# Start ASF in the background, trap will work properly due to non-blocking call
+	if [ -n "$BINARY_PREFIX" ]; then
+		$BINARY_PREFIX "dotnet ${DOTNET_ARGS-} $BINARY $BINARY_ARGS" &
+	else
+		dotnet ${DOTNET_ARGS-} "$BINARY" $BINARY_ARGS &
+	fi
+
+	# This will forward dotnet error code, set -e will abort the script if it's non-zero
+	wait $!
 else
 	# We're running ASF in non-headless mode, so we need STDIN to be operative
-	dotnet ${DOTNET_ARGS-} "$BINARY" $BINARY_ARGS # Start ASF in the foreground, trap won't work until process exit
+	# Start ASF in the foreground, trap won't work until process exit
+	if [ -n "$BINARY_PREFIX" ]; then
+		$BINARY_PREFIX "dotnet ${DOTNET_ARGS-} $BINARY $BINARY_ARGS"
+	else
+		dotnet ${DOTNET_ARGS-} "$BINARY" $BINARY_ARGS
+	fi
 fi
 
 chmod +x "$SCRIPT_PATH" # If ASF exited by itself, we need to ensure that our script is still set to +x after auto-update

ArchiSteamFarm/overlay/linux/ArchiSteamFarm-Service.sh

@@ -63,6 +63,15 @@ for ARG in "$@"; do
 	fi
 done
 
+BINARY_PREFIX=""
+
+if [ -n "${ASF_USER-}" ] && [ "$(id -u)" -eq 0 ] && id -u "$ASF_USER" >/dev/null 2>&1; then
+	# Fix permissions first to ensure ASF has read/write access to the directory specified by --path and its own
+	chown -hR "${ASF_USER}:${ASF_USER}" . "$SCRIPT_DIR"
+
+	BINARY_PREFIX="su ${ASF_USER} -c"
+fi
+
 CONFIG_PATH="$(pwd)/${CONFIG_PATH}"
 
 # Kill underlying ASF process on shell process exit
@@ -71,11 +80,23 @@ trap "trap - TERM && kill -- -$$" INT TERM
 while :; do
 	if [ -f "$CONFIG_PATH" ] && grep -Eq '"Headless":\s+?true' "$CONFIG_PATH"; then
 		# We're running ASF in headless mode so we don't need STDIN
-		"$BINARY" $BINARY_ARGS & # Start ASF in the background, trap will work properly due to non-blocking call
-		wait $! # This will forward dotnet error code, set -e will abort the script if it's non-zero
+		# Start ASF in the background, trap will work properly due to non-blocking call
+		if [ -n "$BINARY_PREFIX" ]; then
+			$BINARY_PREFIX "$BINARY $BINARY_ARGS" &
+		else
+			"$BINARY" $BINARY_ARGS &
+		fi
+
+		# This will forward dotnet error code, set -e will abort the script if it's non-zero
+		wait $!
 	else
 		# We're running ASF in non-headless mode, so we need STDIN to be operative
-		"$BINARY" $BINARY_ARGS # Start ASF in the foreground, trap sadly won't work until process exit
+		# Start ASF in the foreground, trap won't work until process exit
+		if [ -n "$BINARY_PREFIX" ]; then
+			$BINARY_PREFIX "$BINARY $BINARY_ARGS"
+		else
+			"$BINARY" $BINARY_ARGS
+		fi
 	fi
 
 	chmod +x "$SCRIPT_PATH" # If ASF exited by itself, we need to ensure that our script is still set to +x after auto-update

Dockerfile

@@ -46,6 +46,7 @@ RUN dotnet --info && \
     if [ -d "out/${STEAM_TOKEN_DUMPER_NAME}/${NET_CORE_VERSION}" ]; then mkdir -p "out/result/plugins/${STEAM_TOKEN_DUMPER_NAME}"; cp -pR "out/${STEAM_TOKEN_DUMPER_NAME}/${NET_CORE_VERSION}/"* "out/result/plugins/${STEAM_TOKEN_DUMPER_NAME}"; fi
 
 FROM --platform=$TARGETPLATFORM mcr.microsoft.com/dotnet/aspnet:5.0${IMAGESUFFIX} AS runtime
+ENV ASF_USER asf
 ENV ASPNETCORE_URLS=
 ENV DOTNET_CLI_TELEMETRY_OPTOUT 1
 ENV DOTNET_NOLOGO 1
@@ -63,6 +64,11 @@ LABEL maintainer="JustArchi <JustArchi@JustArchi.net>" \
 EXPOSE 1242
 WORKDIR /app
 COPY --from=build-dotnet /app/out/result .
+
+RUN groupadd -r -g 1000 asf && \
+    useradd -r -d /app -g 1000 -u 1000 asf && \
+    chown -hR asf:asf /app
+
 VOLUME ["/app/config", "/app/logs"]
 HEALTHCHECK CMD ["pidof", "-q", "dotnet"]
 ENTRYPOINT ["sh", "ArchiSteamFarm.sh", "--no-restart", "--process-required", "--system-required"]

Dockerfile.Service

@@ -47,6 +47,7 @@ RUN dotnet --info && \
     if [ -d "out/${STEAM_TOKEN_DUMPER_NAME}/${NET_CORE_VERSION}" ]; then mkdir -p "out/result/plugins/${STEAM_TOKEN_DUMPER_NAME}"; cp -pR "out/${STEAM_TOKEN_DUMPER_NAME}/${NET_CORE_VERSION}/"* "out/result/plugins/${STEAM_TOKEN_DUMPER_NAME}"; fi
 
 FROM --platform=$TARGETPLATFORM mcr.microsoft.com/dotnet/runtime-deps:5.0${IMAGESUFFIX} AS runtime
+ENV ASF_USER asf
 ENV ASPNETCORE_URLS=
 ENV DOTNET_CLI_TELEMETRY_OPTOUT 1
 ENV DOTNET_NOLOGO 1
@@ -64,6 +65,11 @@ LABEL maintainer="JustArchi <JustArchi@JustArchi.net>" \
 EXPOSE 1242
 WORKDIR /app
 COPY --from=build-dotnet /app/out/result .
+
+RUN groupadd -r -g 1000 asf && \
+    useradd -r -d /app -g 1000 -u 1000 asf && \
+    chown -hR asf:asf /app
+
 VOLUME ["/app/config", "/app/logs"]
 HEALTHCHECK CMD ["pidof", "-q", "ArchiSteamFarm"]
 ENTRYPOINT ["sh", "ArchiSteamFarm-Service.sh", "--no-restart", "--process-required", "--system-required"]