hldsdocker / hlds Goto Github PK

• from https://developer.valvesoftware.com/wiki/Half-Life_Dedicated_Server

Connectivity
No matter which type of server you are using, your computer must be able to receive unsolicited incoming connections. This is exactly what routers and software firewalls exist to prevent, so if you are using either you will have to reconfigure. Refer to the manufacturer instructions for how to do this.

The ports HLDS officially requires are:

• 27015 UDP (game transmission, pings)
• 27015 TCP (RCON)
• 27020 UDP (HLTV transmission)
• 26900 UDP (VAC service) -- automatically increments if used in case of additional server processes

HLDS has also been spotted opening connections on 27005 to 27030 UDP/TCP, but some of these may be outbound only.

Tip:
Pinging your own server will fail with some routers and/or ISPs. The most reliable way to test whether your connection is open is either to get a friend to try connecting, or to install the Microsoft Network Monitor (apply the filter Udp.Port == 27015) and watch for requests coming in from random people around the world. Note that the heartbeats you will see being sent to the two master servers do not mean that the connection is open.
Note:
A residential internet connections may not have the upload capacity to support large games.

          :x: **Codacy** found a **critical Security** issue: [By not specifying a USER, a program in the container may run as 'root'. This is a security hazard.](https://app.codacy.com/gh/hldsdocker/hlds/pullRequest?prid=13986173)

The issue identified by the Semgrep linter is that the Docker container is configured to run its processes as the root user by default. This can be a significant security risk, as any exploit that gains access to the container could potentially have root privileges, allowing it to perform unrestricted operations on the container and potentially affect the host system or other containers.

To mitigate this risk, it's best practice to create a non-root user within the Dockerfile and switch to that user before running the application. This can be done with the USER directive after all necessary file permissions and dependencies are set up for the non-root user.

Here's the code suggestion to add a non-root user and switch to it before setting the ENTRYPOINT:

RUN adduser --disabled-password --gecos '' myuser && chown -R myuser:myuser /path/to/required/directories
USER myuser

Please replace /path/to/required/directories with the actual directories that the non-root user needs to have ownership of to run the application. This line should be added right before the ENTRYPOINT directive.

This comment was generated by an experimental AI tool.

Originally posted by @codacy-production[bot] in #7 (comment)