security: run docker container as non-root user (fixing NK-o3n9jf)

author: Adam Mathes <adam@adammathes.com> 2026-02-14 09:18:29 -0800
committer: Adam Mathes <adam@adammathes.com> 2026-02-14 09:18:29 -0800
commit: 490ba2f51289bb80b3035aacd0d78d4d280f340e (patch)
tree: 88de33e2e3c10b70f86e4e28c1e2188ab17dd3ac
parent: cac85dc06b519d9bd6db4d017d501dffbbd8bac4 (diff)
download: neko-490ba2f51289bb80b3035aacd0d78d4d280f340e.tar.gz
neko-490ba2f51289bb80b3035aacd0d78d4d280f340e.tar.bz2
neko-490ba2f51289bb80b3035aacd0d78d4d280f340e.zip
1 files changed, 9 insertions, 2 deletions
diff --git a/Dockerfile b/Dockerfile
index ef1f492..a69379c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -24,12 +24,16 @@ RUN go build -o neko .
 
 # Stage 3: Final Image
 FROM debian:bullseye-slim
+
+# Create a non-root user
+RUN groupadd -r neko && useradd -r -g neko neko
+
 WORKDIR /app
 COPY --from=backend-builder /app/neko .
 COPY --from=backend-builder /app/static ./static
 
-# Ensure data directory exists
-RUN mkdir -p /app/data
+# Ensure data directory exists and set permissions
+RUN mkdir -p /app/data && chown -R neko:neko /app/data
 
 # Default environment variables
 ENV NEKO_PORT=8080
@@ -37,4 +41,7 @@ ENV NEKO_DB=/app/data/neko.db
 
 EXPOSE 8080
 
+# Switch to non-root user
+USER neko
+
 CMD ["./neko", "-s", "8080", "-d", "/app/data/neko.db"]
author	Adam Mathes <adam@adammathes.com>	2026-02-14 09:18:29 -0800
committer	Adam Mathes <adam@adammathes.com>	2026-02-14 09:18:29 -0800
commit	490ba2f51289bb80b3035aacd0d78d4d280f340e (patch)
tree	88de33e2e3c10b70f86e4e28c1e2188ab17dd3ac
parent	cac85dc06b519d9bd6db4d017d501dffbbd8bac4 (diff)
download	neko-490ba2f51289bb80b3035aacd0d78d4d280f340e.tar.gz neko-490ba2f51289bb80b3035aacd0d78d4d280f340e.tar.bz2 neko-490ba2f51289bb80b3035aacd0d78d4d280f340e.zip