Non-Root User Configuration to Dockerfile

[dave90]

Description

Updates Dockerfile to improve container security by introducing non-root user configurations.

• Parameterization of User and Group IDs: build-time arguments (USER_ONBUILD, UID_ONBUILD, GROUP_ONBUILD, GID_ONBUILD) to dynamically set the user ID (UID) and group ID (GID) along with the corresponding user and group names.
• User and Group Creation: creation of a non-root user (USER_ONBUILD) and group (GROUP_ONBUILD) with the specified UID and GID
• Directory Ownership: The ownership of the /app directory is changed to the newly created non-root user and group

Related to issue #765

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas

[pieroit]

Thanks for this PR @dave90, a few questions:

• what happens when the cat installs plugin dependencies and the user is not root? See here
• what happens if the dev changes volumes ownership and a non root user tries to overwrote them from within the container?

Maybe the last is not an issue

[dave90]

installation of plugin dependencies occurs before the switch to a non-root user, eliminating any potential issues. Following the snippet:

...
RUN python3 install_plugin_dependencies.py

### ADD USER ###
RUN groupadd -g ${GID_ONBUILD} ${GROUP_ONBUILD} && \
   useradd -m -u ${UID_ONBUILD} -g ${GROUP_ONBUILD} ${USER_ONBUILD} \
   && chown -R ${GROUP_ONBUILD}:${USER_ONBUILD} /app

USER ${GROUP_ONBUILD}:${USER_ONBUILD}
...

[pieroit]

installation of plugin dependencies occurs before the switch to a non-root user, eliminating any potential issues. Following the snippet:

...
RUN python3 install_plugin_dependencies.py

### ADD USER ###
RUN groupadd -g ${GID_ONBUILD} ${GROUP_ONBUILD} && \
   useradd -m -u ${UID_ONBUILD} -g ${GROUP_ONBUILD} ${USER_ONBUILD} \
   && chown -R ${GROUP_ONBUILD}:${USER_ONBUILD} /app

USER ${GROUP_ONBUILD}:${USER_ONBUILD}
...

Plugins can also be installed and activated after the image has been built:

core/core/cat/mad_hatter/plugin.py

Line 68 in 4c9fff0

self._install_requirements()

That makes things more complicated :(
P.S.: thanks for reasoning over this issue

[dave90]

Good point :). Therefore, I've updated the Dockerfile to include a local bin directory in the user's PATH. This modification enables the installation of python packages in a local directory allowing users to install new packages at runtime.

[pieroit]

Good point :). Therefore, I've updated the Dockerfile to include a local bin directory in the user's PATH. This modification enables the installation of python packages in a local directory allowing users to install new packages at runtime.

Thanks I'm going to try this out

[dave90]

Closed this pull request and created a new one: -> #790