From 6f2ac26d114ae9ddda43bfc085b171c57ec5b65d Mon Sep 17 00:00:00 2001
From: Aroy-Art <Aroy-Art@pm.me>
Date: Fri, 4 Apr 2025 09:05:40 +0200
Subject: [PATCH] Add: dedicated user to docker file

---
 backend/Dockerfile | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/backend/Dockerfile b/backend/Dockerfile
index 95b0364..eda24a3 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -3,6 +3,10 @@
 # Use an official Python runtime as a parent image
 FROM python:3.12-slim
 
+# --- Add arguments for user/group IDs ---
+ARG UID=1000
+ARG GID=1000
+
 # Set environment variables
 ENV PYTHONDONTWRITEBYTECODE 1
 ENV PYTHONUNBUFFERED 1
@@ -10,18 +14,27 @@ ENV PYTHONUNBUFFERED 1
 # Set work directory
 WORKDIR /app
 
+# --- Create a non-root user and group ---
+RUN groupadd -g $GID -o archivist && \
+    useradd -u $UID -g $GID -o -m -s /bin/bash archivist
+    # -o allows reusing UID/GID if needed, -m creates home dir, -s sets shell
+
 # Install Python dependencies
 # Copy only requirements first to leverage Docker cache
 COPY requirements.txt ./
 RUN pip install --no-cache-dir -r requirements.txt
 
 # Copy the entrypoint script first
-COPY ./entrypoint.sh /app/entrypoint.sh
+COPY --chown=archivist:archivist ./entrypoint.sh /app/entrypoint.sh
+
 # Ensure it's executable inside the container too
 RUN chmod +x /app/entrypoint.sh
 
 # Copy the rest of the backend source code
-COPY . .
+COPY --chown=archivist:archivist . .
+
+# --- Swithc the user to the archivist user ---
+USER archivist
 
 # Set the entrypoint script
 ENTRYPOINT ["/app/entrypoint.sh"]