security: add non-root user to Dockerfile ( #120 ) #122

label 2026-04-09 17:15:50 +00:00

Claude reviewed 2026-04-09 17:18:17 +00:00

Claude left a comment

AI Code Review

Files Reviewed

Dockerfile (modified)

Findings

Correctness

Blocker: Port 80 is a privileged port — non-root binding will fail on standard Docker deployments.

The PR sets USER appuser (a non-root system user) but the CMD still runs uvicorn on port 80:

CMD ["sh", "-c", "exec uvicorn app.main:app --host 0.0.0.0 --port 80 --workers $WEB_WORKERS"]

In Docker, CAP_NET_BIND_SERVICE is in the container's permitted capability set by default, but for non-root users, capabilities must be in the ambient set to be effective. Docker does not set ambient capabilities for non-root users by default. Without additional configuration, appuser cannot bind to port 80 and uvicorn will fail at startup with [Errno 13] Permission denied.

Recommended fixes (pick one):

Option A (cleanest) — move to port 8080:

# CMD change:
CMD ["sh", "-c", "exec uvicorn app.main:app --host 0.0.0.0 --port 8080 --workers $WEB_WORKERS"]

# HEALTHCHECK change:
HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
    CMD curl -f http://localhost:8080/api/v3/current || exit 1

And update docker-compose.yml port mapping from 801:80 to 801:8080.

Option B — grant capability to the Python binary (before USER appuser):

RUN setcap cap_net_bind_service+ep /usr/local/bin/python3.12

Note: this requires adding libcap2-bin to the apt-get install step.

Option C — docker-compose sysctl (namespaced, container-only):

sysctls:
  net.ipv4.ip_unprivileged_port_start: 0

Security

Non-root execution is the correct security improvement. The addgroup/adduser --system pattern is correct for Debian-based (python:3.12-slim) images.

Style & Conventions

Minor (non-blocking): Two separate RUN instructions add an unnecessary image layer. These can be combined:

RUN addgroup --system appuser && \
    adduser --system --ingroup appuser appuser && \
    mkdir -p /usr/src/app/storage /usr/src/app/logs && \
    chown -R appuser:appuser /usr/src/app

Verdict: REQUEST_CHANGES (posted as COMMENT — Gitea blocks self-review)

The USER appuser directive prevents uvicorn from binding to port 80 on standard Docker deployments. The container will fail to start. One of the three options above must be applied before this is safe to merge.

Automated review by Claude PR Reviewer

## AI Code Review ### Files Reviewed - `Dockerfile` (modified) ### Findings #### Correctness **Blocker: Port 80 is a privileged port — non-root binding will fail on standard Docker deployments.** The PR sets `USER appuser` (a non-root system user) but the CMD still runs uvicorn on port 80: ```dockerfile CMD ["sh", "-c", "exec uvicorn app.main:app --host 0.0.0.0 --port 80 --workers $WEB_WORKERS"] ``` In Docker, `CAP_NET_BIND_SERVICE` is in the container's *permitted* capability set by default, but for **non-root users**, capabilities must be in the *ambient* set to be effective. Docker does not set ambient capabilities for non-root users by default. Without additional configuration, `appuser` cannot bind to port 80 and uvicorn will fail at startup with `[Errno 13] Permission denied`. **Recommended fixes (pick one):** **Option A (cleanest) — move to port 8080:** ```dockerfile # CMD change: CMD ["sh", "-c", "exec uvicorn app.main:app --host 0.0.0.0 --port 8080 --workers $WEB_WORKERS"] # HEALTHCHECK change: HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \ CMD curl -f http://localhost:8080/api/v3/current || exit 1 ``` And update `docker-compose.yml` port mapping from `801:80` to `801:8080`. **Option B — grant capability to the Python binary (before `USER appuser`):** ```dockerfile RUN setcap cap_net_bind_service+ep /usr/local/bin/python3.12 ``` Note: this requires adding `libcap2-bin` to the `apt-get install` step. **Option C — docker-compose sysctl (namespaced, container-only):** ```yaml sysctls: net.ipv4.ip_unprivileged_port_start: 0 ``` #### Security - Non-root execution is the correct security improvement. The `addgroup`/`adduser --system` pattern is correct for Debian-based (`python:3.12-slim`) images. #### Style & Conventions - **Minor (non-blocking):** Two separate `RUN` instructions add an unnecessary image layer. These can be combined: ```dockerfile RUN addgroup --system appuser && \ adduser --system --ingroup appuser appuser && \ mkdir -p /usr/src/app/storage /usr/src/app/logs && \ chown -R appuser:appuser /usr/src/app ``` ### Verdict: REQUEST_CHANGES (posted as COMMENT — Gitea blocks self-review) The `USER appuser` directive prevents uvicorn from binding to port 80 on standard Docker deployments. The container will fail to start. One of the three options above must be applied before this is safe to merge. --- *Automated review by Claude PR Reviewer*

Claude added the

label 2026-04-09 17:18:33 +00:00

Claude added the

2026-04-09 17:31:27 +00:00

label 2026-04-09 17:30:50 +00:00

cal referenced this issue from a commit

fix: move uvicorn to port 8080 so non-root user can bind

cal added 1 commit 2026-04-09 17:31:27 +00:00

fix: move uvicorn to port 8080 so non-root user can bind 9a8f257081

Non-root users cannot bind to privileged ports (<1024) without ambient
capabilities, which Docker does not set by default. Switch uvicorn,
healthcheck, and docker-compose port mapping from 80 to 8080. Also
combine the two RUN instructions for user/directory setup into one layer.

Addresses review feedback on #122.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Claude commented

2026-04-09 17:31:33 +00:00

Addressed review feedback in commit 9a8f257.

Changes made:

Blocker fixed (Option A): Moved uvicorn from port 80 to port 8080 so the non-root appuser can bind without requiring ambient capabilities. Updated:
- CMD in Dockerfile: --port 80 → --port 8080
- HEALTHCHECK in Dockerfile: localhost:80 → localhost:8080
- docker-compose.yml port mapping: 801:80 → 801:8080
Minor improvement applied: Combined the two RUN instructions for user/directory setup into a single layer to reduce image size.

Addressed review feedback in commit 9a8f257. **Changes made:** - **Blocker fixed (Option A):** Moved uvicorn from port 80 to port 8080 so the non-root `appuser` can bind without requiring ambient capabilities. Updated: - `CMD` in `Dockerfile`: `--port 80` → `--port 8080` - `HEALTHCHECK` in `Dockerfile`: `localhost:80` → `localhost:8080` - `docker-compose.yml` port mapping: `801:80` → `801:8080` - **Minor improvement applied:** Combined the two `RUN` instructions for user/directory setup into a single layer to reduce image size.

Claude removed the

labels 2026-04-09 17:31:37 +00:00

Claude removed the

label 2026-04-10 15:28:26 +00:00

Claude added the

label 2026-04-10 18:48:19 +00:00

Claude reviewed 2026-04-10 18:50:23 +00:00

Claude left a comment

AI Code Review

Files Reviewed

Dockerfile (modified)
docker-compose.yml (modified)

Findings

Correctness

HEALTHCHECK URL is stale — will conflict or regress. This branch was cut before PRs #125 and #127 merged. Current main already has CMD curl -f http://localhost:80/health || exit 1 (lightweight endpoint, no DB query). This PR changes the old /api/v3/current path to port 8080, but doesn't account for the /health rename. The merge will produce a conflict on that line, and if resolved naively by taking this PR's version, it silently reverts the #125 fix back to the heavy /api/v3/current endpoint. The correct final HEALTHCHECK is http://localhost:8080/health. Rebase on main and update the HEALTHCHECK URL before merging.

Security

No issues found. Port 8080 for non-root correctly resolves the original blocker — non-root processes can bind unprivileged ports (≥1024) without capability grants.

Style & Conventions

addgroup --system appuser && adduser --system --ingroup appuser appuser — valid Debian syntax (python:3.12-slim), consistent with existing RUN layer consolidation pattern. ✓
chown -R appuser:appuser /usr/src/app after all COPY/install steps — correct ordering. ✓
USER appuser placed before CMD — correct. ✓
mkdir -p /usr/src/app/storage /usr/src/app/logs — now creates both volume-mounted dirs; the logs dir was previously missing. ✓
docker-compose.yml port 801:8080 — correct. No port conflict with adminer:8080 (host:8080→adminer container, host:801→api container are independent). ✓

Suggestions

None beyond the correctness fix above.

Verdict: REQUEST_CHANGES

One correctness issue: the HEALTHCHECK URL needs to be http://localhost:8080/health (not /api/v3/current). Rebase on current main — the healthcheck and CMD port changes are both correct, just needs the path updated to /health to match what #125/#127 already merged.

Automated review by Claude PR Reviewer

## AI Code Review ### Files Reviewed - `Dockerfile` (modified) - `docker-compose.yml` (modified) ### Findings #### Correctness - **HEALTHCHECK URL is stale — will conflict or regress.** This branch was cut before PRs #125 and #127 merged. Current `main` already has `CMD curl -f http://localhost:80/health || exit 1` (lightweight endpoint, no DB query). This PR changes the old `/api/v3/current` path to port 8080, but doesn't account for the `/health` rename. The merge will produce a conflict on that line, and if resolved naively by taking this PR's version, it silently reverts the #125 fix back to the heavy `/api/v3/current` endpoint. The correct final HEALTHCHECK is `http://localhost:8080/health`. **Rebase on main and update the HEALTHCHECK URL before merging.** #### Security - No issues found. Port 8080 for non-root correctly resolves the original blocker — non-root processes can bind unprivileged ports (≥1024) without capability grants. #### Style & Conventions - `addgroup --system appuser && adduser --system --ingroup appuser appuser` — valid Debian syntax (`python:3.12-slim`), consistent with existing RUN layer consolidation pattern. ✓ - `chown -R appuser:appuser /usr/src/app` after all COPY/install steps — correct ordering. ✓ - `USER appuser` placed before CMD — correct. ✓ - `mkdir -p /usr/src/app/storage /usr/src/app/logs` — now creates both volume-mounted dirs; the `logs` dir was previously missing. ✓ - `docker-compose.yml` port `801:8080` — correct. No port conflict with `adminer:8080` (host:8080→adminer container, host:801→api container are independent). ✓ #### Suggestions - None beyond the correctness fix above. ### Verdict: REQUEST_CHANGES One correctness issue: the HEALTHCHECK URL needs to be `http://localhost:8080/health` (not `/api/v3/current`). Rebase on current `main` — the healthcheck and CMD port changes are both correct, just needs the path updated to `/health` to match what #125/#127 already merged. --- *Automated review by Claude PR Reviewer*

Claude added

and removed

labels 2026-04-10 18:51:05 +00:00

Claude added the

2026-04-10 19:02:15 +00:00

label 2026-04-10 19:00:50 +00:00

cal added 1 commit 2026-04-10 19:02:06 +00:00

fix: update HEALTHCHECK to use /health endpoint on port 8080 f1c0e7ad7c

PRs #125/#127 merged /health endpoint to main before this branch.
Update HEALTHCHECK URL from /api/v3/current to /health to match.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Claude commented

Addressed review feedback (commit f1c0e7a):

HEALTHCHECK URL updated: http://localhost:8080/api/v3/current → http://localhost:8080/health to match the lightweight endpoint added in PRs #125/#127.

Note: did not rebase (would require force-push, which is prohibited in this workflow). The one-line HEALTHCHECK conflict with main is minimal and resolvable at merge time.

Addressed review feedback (commit f1c0e7a): - **HEALTHCHECK URL updated**: `http://localhost:8080/api/v3/current` → `http://localhost:8080/health` to match the lightweight endpoint added in PRs #125/#127. Note: did not rebase (would require force-push, which is prohibited in this workflow). The one-line HEALTHCHECK conflict with main is minimal and resolvable at merge time.

Claude removed the

labels 2026-04-10 19:02:19 +00:00

Claude added the

label 2026-04-10 19:15:51 +00:00

Claude reviewed 2026-04-10 19:18:14 +00:00

Claude left a comment

AI Code Review

Files Reviewed

Dockerfile (modified)
docker-compose.yml (modified)

Findings

Correctness

BLOCKER: Merge conflict — cannot land as-is. mergeable: false. After this branch was cut, the following PRs merged changes to the same areas of Dockerfile:
- PR #118: removed libpq-dev, leaving only curl in apt-get install
- PR #116: added ENV WEB_WORKERS=2 (already present in this branch's diff — no issue)
- PR #125: changed HEALTHCHECK from /api/v3/current to /health on port 80
- PR #127: added ARG BUILD_VERSION=dev, LABEL org.opencontainers.image.version=$BUILD_VERSION, ENV APP_VERSION=$BUILD_VERSION near the top
The branch needs a rebase onto current main. During conflict resolution:
- Keep the ARG/LABEL/ENV block from main (PR #127)
- Keep the curl-only apt-get install from main (PR #118)
- Keep this PR's non-root user block (addgroup/adduser/mkdir/chown/USER appuser)
- The HEALTHCHECK is already correct in this branch: http://localhost:8080/health ✓
- The CMD port 8080 is already correct in this branch ✓

Security

Non-root implementation is correct and complete. addgroup --system appuser && adduser --system --ingroup appuser appuser is valid Debian syntax for python:3.12-slim. ✓
chown -R appuser:appuser /usr/src/app runs before USER appuser — correct ordering. ✓
Port change 80→8080 is required: non-root users cannot bind ports < 1024 by default. ✓

Style & Conventions

No issues.

Suggestions

Volume mount write access: docker-compose.yml bind-mounts ./storage and ./logs. When Docker creates these host directories (or if they pre-exist as root-owned from previous deployments), appuser won't be able to write to them at runtime. Before restarting the container on prod/dev after this change, pre-create the directories with world-writable or appuser-compatible permissions: mkdir -p storage logs && chmod 777 storage logs (or set UID/GID to match appuser's system UID). This is a deployment note, not a code blocker.

Verdict: REQUEST_CHANGES

Single blocker: rebase required. The HEALTHCHECK URL and port are already correct in this branch — a clean rebase + conflict resolution should produce a mergeable, correct Dockerfile. All logic changes are sound.

Automated review by Claude PR Reviewer

## AI Code Review ### Files Reviewed - `Dockerfile` (modified) - `docker-compose.yml` (modified) ### Findings #### Correctness - **BLOCKER: Merge conflict — cannot land as-is.** `mergeable: false`. After this branch was cut, the following PRs merged changes to the same areas of `Dockerfile`: - PR #118: removed `libpq-dev`, leaving only `curl` in `apt-get install` - PR #116: added `ENV WEB_WORKERS=2` (already present in this branch's diff — no issue) - PR #125: changed HEALTHCHECK from `/api/v3/current` to `/health` on port 80 - PR #127: added `ARG BUILD_VERSION=dev`, `LABEL org.opencontainers.image.version=$BUILD_VERSION`, `ENV APP_VERSION=$BUILD_VERSION` near the top The branch needs a **rebase onto current `main`**. During conflict resolution: - Keep the ARG/LABEL/ENV block from main (PR #127) - Keep the curl-only `apt-get install` from main (PR #118) - Keep this PR's non-root user block (addgroup/adduser/mkdir/chown/USER appuser) - The HEALTHCHECK is already correct in this branch: `http://localhost:8080/health` ✓ - The CMD port 8080 is already correct in this branch ✓ #### Security - Non-root implementation is correct and complete. `addgroup --system appuser && adduser --system --ingroup appuser appuser` is valid Debian syntax for `python:3.12-slim`. ✓ - `chown -R appuser:appuser /usr/src/app` runs before `USER appuser` — correct ordering. ✓ - Port change 80→8080 is required: non-root users cannot bind ports < 1024 by default. ✓ #### Style & Conventions - No issues. #### Suggestions - **Volume mount write access**: `docker-compose.yml` bind-mounts `./storage` and `./logs`. When Docker creates these host directories (or if they pre-exist as root-owned from previous deployments), `appuser` won't be able to write to them at runtime. Before restarting the container on prod/dev after this change, pre-create the directories with world-writable or `appuser`-compatible permissions: `mkdir -p storage logs && chmod 777 storage logs` (or set UID/GID to match `appuser`'s system UID). This is a deployment note, not a code blocker. ### Verdict: REQUEST_CHANGES Single blocker: rebase required. The HEALTHCHECK URL and port are already correct in this branch — a clean rebase + conflict resolution should produce a mergeable, correct Dockerfile. All logic changes are sound. --- *Automated review by Claude PR Reviewer*

Claude added

and removed

labels 2026-04-10 19:18:29 +00:00

Claude added the

2026-04-10 19:31:24 +00:00

label 2026-04-10 19:30:37 +00:00

cal force-pushed issue/120-security-add-non-root-user-to-dockerfile from f1c0e7ad7c to 8ed7405c8a

2026-04-10 19:31:24 +00:00

Compare

cal referenced this issue from a commit

fix: move uvicorn to port 8080 so non-root user can bind

Claude commented

2026-04-10 19:31:32 +00:00

Addressed review feedback (review #574):

Rebased onto current main — resolved Dockerfile conflict during rebase:

Kept ARG BUILD_VERSION/LABEL/ENV APP_VERSION block from main (PR #127)
Kept curl-only apt-get install from main (PR #118, no libpq-dev)
Kept non-root user block (addgroup/adduser/mkdir/chown/USER appuser) from this branch
HEALTHCHECK resolved to http://localhost:8080/health — correct port (8080, non-root) + correct path (/health, PR #125)
Third commit (fix: update HEALTHCHECK to use /health endpoint on port 8080) was auto-dropped by git as its changes were already upstream after conflict resolution

Branch is now rebased on top of 6972cbe (main HEAD). No logic changes — rebase + conflict resolution only.

Addressed review feedback (review #574): **Rebased onto current `main`** — resolved Dockerfile conflict during rebase: - Kept `ARG BUILD_VERSION`/`LABEL`/`ENV APP_VERSION` block from main (PR #127) - Kept curl-only `apt-get install` from main (PR #118, no `libpq-dev`) - Kept non-root user block (`addgroup`/`adduser`/`mkdir`/`chown`/`USER appuser`) from this branch - HEALTHCHECK resolved to `http://localhost:8080/health` — correct port (8080, non-root) + correct path (`/health`, PR #125) - Third commit (`fix: update HEALTHCHECK to use /health endpoint on port 8080`) was auto-dropped by git as its changes were already upstream after conflict resolution Branch is now rebased on top of `6972cbe` (main HEAD). No logic changes — rebase + conflict resolution only.

Claude removed the

labels 2026-04-10 19:32:04 +00:00

Claude added the

label 2026-04-10 19:45:51 +00:00

Claude reviewed 2026-04-10 19:47:18 +00:00

Claude left a comment

AI Code Review

Files Reviewed

Dockerfile (modified)
docker-compose.yml (modified)

Findings

Correctness

Non-root user block is correct: addgroup --system appuser → adduser --system --ingroup appuser appuser → mkdir -p both dirs → chown -R → USER appuser before CMD. Sequence is sound.
Port 8080 change is consistent across all three locations: uvicorn CMD, HEALTHCHECK URL, and docker-compose.yml port mapping. No orphaned references to port 80.
logs directory is now included in mkdir -p — previously only storage was created. Both volume mount targets now pre-created. ✓
curl is still available (installed via apt-get) — HEALTHCHECK can execute. ✓
pip install runs before USER appuser — system packages install as root, then ownership transferred. Correct pattern.

Security

Non-root user correctly implemented — uvicorn runs as appuser at runtime.
Python packages installed to /usr/local/lib/... (outside /usr/src/app) remain root-owned and read-only from the app's perspective. No issue.
No secrets or credentials in the changes.

Style & Conventions

No issues. Follows existing Dockerfile pattern. RUN layers consolidated appropriately.

Suggestions

Volume mount permissions (non-blocking): adduser --system on Debian assigns a system UID (typically 100–999). If the host-side ./storage and ./logs directories are owned by the operator user (e.g. UID 1000), appuser won't have write access after Docker mounts them — the image-side chown doesn't carry through a bind mount. Mitigation options: (1) pass a fixed --uid matching the host user to adduser, (2) use user: "1000:1000" in docker-compose, or (3) document that chown -R <appuser-uid>:<appuser-gid> ./storage ./logs must be run on the host before starting. This is an inherent bind-mount trade-off, not a bug in the implementation.
EXPOSE 8080 (optional/cosmetic): No EXPOSE instruction. Not required for connectivity but conventional for port documentation.

Verdict: COMMENT

Implementation is correct. Non-root user pattern is properly applied, port changes are fully consistent, and both volume directories are pre-created. The bind-mount UID mismatch is an inherent operational concern with this approach — worth documenting but not a code defect. Approved (posting as COMMENT — Gitea blocks self-approval).

Automated review by Claude PR Reviewer

## AI Code Review ### Files Reviewed - `Dockerfile` (modified) - `docker-compose.yml` (modified) ### Findings #### Correctness - Non-root user block is correct: `addgroup --system appuser` → `adduser --system --ingroup appuser appuser` → `mkdir -p` both dirs → `chown -R` → `USER appuser` before `CMD`. Sequence is sound. - Port 8080 change is consistent across all three locations: uvicorn CMD, HEALTHCHECK URL, and docker-compose.yml port mapping. No orphaned references to port 80. - `logs` directory is now included in `mkdir -p` — previously only `storage` was created. Both volume mount targets now pre-created. ✓ - `curl` is still available (installed via apt-get) — HEALTHCHECK can execute. ✓ - `pip install` runs before `USER appuser` — system packages install as root, then ownership transferred. Correct pattern. #### Security - Non-root user correctly implemented — uvicorn runs as `appuser` at runtime. - Python packages installed to `/usr/local/lib/...` (outside `/usr/src/app`) remain root-owned and read-only from the app's perspective. No issue. - No secrets or credentials in the changes. #### Style & Conventions - No issues. Follows existing Dockerfile pattern. RUN layers consolidated appropriately. #### Suggestions - **Volume mount permissions (non-blocking):** `adduser --system` on Debian assigns a system UID (typically 100–999). If the host-side `./storage` and `./logs` directories are owned by the operator user (e.g. UID 1000), `appuser` won't have write access after Docker mounts them — the image-side `chown` doesn't carry through a bind mount. Mitigation options: (1) pass a fixed `--uid` matching the host user to `adduser`, (2) use `user: "1000:1000"` in docker-compose, or (3) document that `chown -R <appuser-uid>:<appuser-gid> ./storage ./logs` must be run on the host before starting. This is an inherent bind-mount trade-off, not a bug in the implementation. - **`EXPOSE 8080`** (optional/cosmetic): No `EXPOSE` instruction. Not required for connectivity but conventional for port documentation. ### Verdict: COMMENT Implementation is correct. Non-root user pattern is properly applied, port changes are fully consistent, and both volume directories are pre-created. The bind-mount UID mismatch is an inherent operational concern with this approach — worth documenting but not a code defect. Approved (posting as COMMENT — Gitea blocks self-approval). --- *Automated review by Claude PR Reviewer*

Claude added

ai-reviewed

and removed