From c151f4f76e6a7001316f8d9e1c0a4d18568d8a7d Mon Sep 17 00:00:00 2001
From: Iaroslav Postovalov <38042667+CommanderTvis@users.noreply.github.com>
Date: Wed, 1 Oct 2025 20:04:08 +0200
Subject: [PATCH] Use non-root user in Dockerfile (#214)

---
 Dockerfile | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index a9ef1b2..8a8bd7f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,11 +8,15 @@ RUN apt-get update \
   && apt-get install -y --no-install-recommends chromium curl \
   && rm -rf /var/lib/apt/lists/*
 
+# Use predefined node user (UID 1000, GID 1000)
+# Set home directory ownership for node user
+RUN usermod -d /fredy node
+
 ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true \
     PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium
 
 # Copy lockfiles first to leverage cache for dependencies
-COPY package.json yarn.lock .
+COPY --chown=node:node package.json yarn.lock .
 
 # Set Yarn timeout, install dependencies and PM2 globally
 RUN yarn config set network-timeout 600000 \
@@ -20,13 +24,13 @@ RUN yarn config set network-timeout 600000 \
   && yarn global add pm2
 
 # Copy application source and build production assets
-COPY . .
+COPY --chown=node:node . .
 RUN yarn build:frontend
 
 # Prepare runtime directories and symlinks for data and config
 RUN mkdir -p /db /conf \
-  && chown 1000:1000 /db /conf \
-  && chmod 777 /db /conf \
+  && chown -R node:node /fredy /db /conf \
+  && chmod 755 /db /conf \
   && ln -s /db /fredy/db \
   && ln -s /conf /fredy/conf
 
@@ -34,5 +38,8 @@ EXPOSE 9998
 VOLUME /db
 VOLUME /conf
 
+# Switch to non-root user
+USER node
+
 # Start application using PM2 runtime
 CMD ["pm2-runtime", "index.js"]