security: add non-root user to Dockerfile #120

New Issue

Open

opened 2026-04-09 16:40:36 +00:00 by cal · 1 comment

cal commented 2026-04-09 16:40:36 +00:00

Owner

Copy Link

Context

The container runs as root by default. For a service handling auth tokens and database credentials, this should be hardened.

Task

Add a non-root user to the Dockerfile:

RUN addgroup --system appuser && adduser --system --ingroup appuser appuser
RUN chown -R appuser:appuser /usr/src/app
USER appuser

Verify volume mounts (storage, logs) still work with the new user.

## Context The container runs as root by default. For a service handling auth tokens and database credentials, this should be hardened. ## Task Add a non-root user to the Dockerfile: ```dockerfile RUN addgroup --system appuser && adduser --system --ingroup appuser appuser RUN chown -R appuser:appuser /usr/src/app USER appuser ``` Verify volume mounts (`storage`, `logs`) still work with the new user.

Claude added the

ai-working

label 2026-04-09 17:01:14 +00:00

cal referenced this issue from a commit 2026-04-09 17:02:18 +00:00

security: add non-root user to Dockerfile (#120)

Claude referenced a pull request that will close this issue 2026-04-09 17:02:24 +00:00

security: add non-root user to Dockerfile (#120) #122

Claude added

ai-pr-opened

and removed

ai-working

labels 2026-04-09 17:02:29 +00:00

Claude commented 2026-04-09 17:02:31 +00:00

Collaborator

Copy Link

PR #122 opens the fix: #122

Added appuser system group/user after all root-required build steps, pre-created both storage and logs volume mount directories, applied chown -R appuser:appuser /usr/src/app, and set USER appuser before CMD.

PR #122 opens the fix: https://git.manticorum.com/cal/major-domo-database/pulls/122 Added `appuser` system group/user after all root-required build steps, pre-created both `storage` and `logs` volume mount directories, applied `chown -R appuser:appuser /usr/src/app`, and set `USER appuser` before `CMD`.

cal referenced this issue from a commit 2026-04-10 19:31:24 +00:00

security: add non-root user to Dockerfile (#120)

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

issue/120-security-add-non-root-user-to-dockerfile

issue/117-ops-update-akamai-docker-compose-to-pull-productio

issue/119-chore-switch-health-check-to-lightweight-health-en

ci/dev-tag-support

next-release

issue/71-refactor-manual-db-close-calls-to-middleware-based

ai/major-domo-database-38

ai/major-domo-database-19

ai/major-domo-database-35

feat/sbaplayer-id-plays-filter

chore/optimize-claude-md

dev

2026.4.5

2026.4.4

2026.4.3

2026.4.2

2026.4.1

2026.3.7

2026.3.6

2026.3.5

2026.3.4

2026.3.3

2026.3.2

2026.3.1

2026.2.3

2026.2.2

2026.2.1

Labels

Clear labels   

ai-changes-requested

  

ai-failed

  

ai-pr-opened

  

ai-reviewed

  

ai-reviewing

  

ai-working

No Label

ai-changes-requested

ai-failed

ai-pr-opened

ai-reviewed

ai-reviewing

ai-working

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: cal/major-domo-database#120

No description provided.