From 0c8491ce7a21b03c78fc4a038624735960a42521 Mon Sep 17 00:00:00 2001
From: Steve Dogiakos <dogiakos@gmail.com>
Date: Mon, 9 Mar 2026 20:13:21 -0600
Subject: [PATCH] feat: run container as non-root user

Create appuser with configurable UID/GID (default 1000, matching
example.env PID/GID vars) and switch to it before starting Gunicorn.
Override at build time with --build-arg UID=... --build-arg GID=...

Note: the /data volume mount must be owned by the matching UID on the
host for the DB to remain writable.
---
 Dockerfile | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 5d07de8..d1103a8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -24,10 +24,13 @@ ENV FLASK_ENV=production
 # Expose the port (Gunicorn will run on 8000)
 EXPOSE 8000
 
-# TODO: No USER directive — container runs as root. Add a non-root user for security.
-# example.env has PID/GID=1000 vars suggesting this was intended. e.g.:
-#   RUN useradd -u 1000 -g 1000 appuser && chown -R appuser /app /data
-#   USER appuser
+# Create a non-root user. UID/GID match the PID/GID vars in example.env (default 1000).
+# Override at build time with: docker build --build-arg UID=1001 --build-arg GID=1001
+ARG UID=1000
+ARG GID=1000
+RUN groupadd -g ${GID} appuser && useradd -u ${UID} -g ${GID} -s /bin/sh -M appuser
+RUN chown -R appuser:appuser /app /entrypoint.sh
+USER appuser
 
 # Use the entrypoint script as the container's command
 CMD ["/entrypoint.sh"]