actualbudget · twk3 · Jan 18, 2024 · Jan 14, 2024 · Jan 15, 2024 · Jan 15, 2024
diff --git a/Dockerfile b/Dockerfile
@@ -7,11 +7,20 @@ RUN yarn workspaces focus --all --production
 
 FROM node:18-bullseye-slim as prod
 RUN apt-get update && apt-get install tini && apt-get clean -y && rm -rf /var/lib/apt/lists/*
+
+ARG USERNAME=appuser
+ARG USER_UID=1001
+ARG USER_GID=$USER_UID
+RUN groupadd --gid $USER_GID $USERNAME \
+    && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME
+RUN mkdir /data && chown -R ${USERNAME}:${USERNAME} /data
+
 WORKDIR /app
-COPY --from=base /app/node_modules /app/node_modules
-ADD package.json app.js ./
-ADD src ./src
-ADD migrations ./migrations
+COPY --from=base --chown=${USER_UID}:${USER_GID} /app/node_modules /app/node_modules
+ADD --chown=${USER_UID}:${USER_GID} package.json app.js ./
+ADD --chown=${USER_UID}:${USER_GID} src ./src
+ADD --chown=${USER_UID}:${USER_GID} migrations ./migrations
+USER ${USER_UID}
 ENTRYPOINT ["/usr/bin/tini","-g",  "--"]
 EXPOSE 5006
 CMD ["node", "app.js"]
diff --git a/docker/edge-alpine.Dockerfile b/docker/edge-alpine.Dockerfile
@@ -16,12 +16,20 @@ RUN unzip /tmp/desktop-client.zip -d /public
 
 FROM alpine:3.17 as prod
 RUN apk add --no-cache nodejs tini
+
+ARG USERNAME=appuser
+ARG USER_UID=1001
+ARG USER_GID=$USER_UID
+RUN addgroup -S ${USERNAME} -g ${USER_GID} && adduser -S ${USERNAME} -G ${USERNAME} -u ${USER_UID}
+RUN mkdir /data && chown -R ${USERNAME}:${USERNAME} /data
+
 WORKDIR /app
-COPY --from=base /app/node_modules /app/node_modules
-COPY --from=base /public /public
-ADD package.json app.js ./
-ADD src ./src
-ADD migrations ./migrations
+COPY --from=base --chown=${USER_UID}:${USER_GID} /app/node_modules /app/node_modules
+COPY --from=base --chown=${USER_UID}:${USER_GID} /public /public
+ADD --chown=${USER_UID}:${USER_GID} package.json app.js ./
+ADD --chown=${USER_UID}:${USER_GID} src ./src
+ADD --chown=${USER_UID}:${USER_GID} migrations ./migrations
+USER ${USER_UID}
 ENTRYPOINT ["/sbin/tini","-g",  "--"]
 ENV ACTUAL_WEB_ROOT=/public
 EXPOSE 5006

diff --git a/docker/edge-ubuntu.Dockerfile b/docker/edge-ubuntu.Dockerfile
@@ -15,12 +15,21 @@ RUN unzip /tmp/desktop-client.zip -d /public
 
 FROM node:18-bullseye-slim as prod
 RUN apt-get update && apt-get install tini && apt-get clean -y && rm -rf /var/lib/apt/lists/*
+
+ARG USERNAME=appuser
+ARG USER_UID=1001
+ARG USER_GID=$USER_UID
+RUN groupadd --gid $USER_GID $USERNAME \
+    && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME
+RUN mkdir /data && chown -R ${USERNAME}:${USERNAME} /data
+
 WORKDIR /app
-COPY --from=base /app/node_modules /app/node_modules
-COPY --from=base /public /public
-ADD package.json app.js ./
-ADD src ./src
-ADD migrations ./migrations
+COPY --from=base --chown=${USER_UID}:${USER_GID} /app/node_modules /app/node_modules
+COPY --from=base --chown=${USER_UID}:${USER_GID} /public /public
+ADD --chown=${USER_UID}:${USER_GID} package.json app.js ./
+ADD --chown=${USER_UID}:${USER_GID} src ./src
+ADD --chown=${USER_UID}:${USER_GID} migrations ./migrations
+USER ${USER_UID}
 ENTRYPOINT ["/usr/bin/tini","-g",  "--"]
 ENV ACTUAL_WEB_ROOT=/public
 EXPOSE 5006

diff --git a/docker/stable-alpine.Dockerfile b/docker/stable-alpine.Dockerfile
@@ -8,11 +8,19 @@ RUN if [ "$(uname -m)" = "armv7l" ]; then npm install bcrypt better-sqlite3 --bu
 
 FROM alpine:3.17 as prod
 RUN apk add --no-cache nodejs tini
+
+ARG USERNAME=appuser
+ARG USER_UID=1001
+ARG USER_GID=$USER_UID
+RUN addgroup -S ${USERNAME} -g ${USER_GID} && adduser -S ${USERNAME} -G ${USERNAME} -u ${USER_UID}
+RUN mkdir /data && chown -R ${USERNAME}:${USERNAME} /data
+
 WORKDIR /app
-COPY --from=base /app/node_modules /app/node_modules
-ADD package.json app.js ./
-ADD src ./src
-ADD migrations ./migrations
+COPY --from=base --chown=${USER_UID}:${USER_GID} /app/node_modules /app/node_modules
+ADD --chown=${USER_UID}:${USER_GID} package.json app.js ./
+ADD --chown=${USER_UID}:${USER_GID} src ./src
+ADD --chown=${USER_UID}:${USER_GID} migrations ./migrations
+USER ${USER_UID}
 ENTRYPOINT ["/sbin/tini","-g",  "--"]
 EXPOSE 5006
 CMD ["node", "app.js"]
diff --git a/docker/stable-ubuntu.Dockerfile b/docker/stable-ubuntu.Dockerfile
@@ -7,11 +7,20 @@ RUN yarn workspaces focus --all --production
 
 FROM node:18-bullseye-slim as prod
 RUN apt-get update && apt-get install tini && apt-get clean -y && rm -rf /var/lib/apt/lists/*
+
+ARG USERNAME=appuser
+ARG USER_UID=1001
+ARG USER_GID=$USER_UID
+RUN groupadd --gid $USER_GID $USERNAME \
+    && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME
+RUN mkdir /data && chown -R ${USERNAME}:${USERNAME} /data
+
 WORKDIR /app
-COPY --from=base /app/node_modules /app/node_modules
-ADD package.json app.js ./
-ADD src ./src
-ADD migrations ./migrations
+COPY --from=base --chown=${USER_UID}:${USER_GID} /app/node_modules /app/node_modules
+ADD --chown=${USER_UID}:${USER_GID} package.json app.js ./
+ADD --chown=${USER_UID}:${USER_GID} src ./src
+ADD --chown=${USER_UID}:${USER_GID} migrations ./migrations
+USER ${USER_UID}
 ENTRYPOINT ["/usr/bin/tini","-g",  "--"]
 EXPOSE 5006
 CMD ["node", "app.js"]
diff --git a/upcoming-release-notes/300.md b/upcoming-release-notes/300.md
@@ -0,0 +1,6 @@
+---
+category: Maintenance
+authors: [hkiang01]
+---
+
+Non-root users for Dockerfiles