Skip to content

fix(gensui): run container as non-root user#19

Open
wstlima wants to merge 1 commit into
AlphaHorizon-AI:mainfrom
wstlima:fix/gensui-dockerfile-non-root
Open

fix(gensui): run container as non-root user#19
wstlima wants to merge 1 commit into
AlphaHorizon-AI:mainfrom
wstlima:fix/gensui-dockerfile-non-root

Conversation

@wstlima

@wstlima wstlima commented Jul 10, 2026

Copy link
Copy Markdown

Fixes #10

Summary

Trivy misconfig scan (HIGH): gensui/Dockerfile has no USER instruction, so the container runs as root — an unnecessary privilege escalation surface if any dependency (this Dockerfile pulls in torch, transformers, playwright, etc.) is ever compromised via a supply-chain issue or the app itself has an RCE.

Fix

Create a dedicated gensui user/group (uid/gid 1000), chown /app to it, switch with USER before the final CMD. Done as the last build step so earlier layers (apt-get, pip install, npm build) still run as root, which they need for package installation. /app/data and /app/logs (the VOLUME mount points) are chowned in the same RUN step.

⚠️ Migration note for existing deployments

If you already have a gensui_data/gensui_logs volume from a previous (root) container run, its files are owned by root and the new non-root user won't be able to write to them — SQLite will fail with attempt to write a readonly database on startup. Fix with either:

docker run --rm -v gensui_data:/data alpine chown -R 1000:1000 /data
docker run --rm -v gensui_logs:/logs alpine chown -R 1000:1000 /logs

...or start fresh with new volumes if the existing data isn't needed.

Test plan

  • Fresh docker compose up (new volumes) starts cleanly, whoami inside the container returns gensui (uid 1000)
  • Reusing a volume from a root-owned container reproduces the permission error until chown'd — confirmed and documented above
  • GET /api/gensui/health and GET / (frontend) both return 200 as the non-root user

Trivy misconfig scan (HIGH): gensui/Dockerfile has no USER
instruction, so the container runs as root — an unnecessary privilege
escalation surface if any dependency (this Dockerfile pulls in
torch, transformers, playwright, etc.) is ever compromised via a
supply-chain issue or the app itself has an RCE.

Fix: create a dedicated `gensui` user/group (uid/gid 1000, matching
the common non-root default so bind-mounted host directories don't
end up owned by an unexpected uid), chown /app to it, and switch to
it with USER before the final CMD. Done as the last build step so
earlier layers (apt-get, pip install, npm build) still run as root,
which they need for package installation.

/app/data and /app/logs (the VOLUME mount points) are chowned in the
same RUN step, so the non-root user can still write to them at
runtime.

MIGRATION NOTE for existing deployments: if you already have a
gensui_data / gensui_logs volume from a previous (root) container run,
its files are owned by root and the new non-root user won't be able
to write to them — SQLite will fail with "attempt to write a readonly
database" on startup. Fix with either:

  docker run --rm -v gensui_data:/data alpine chown -R 1000:1000 /data
  docker run --rm -v gensui_logs:/logs alpine chown -R 1000:1000 /logs

...or start fresh with new volumes if the existing data isn't needed.
Verified both paths: a fresh `docker compose up` (new volumes) starts
cleanly; reusing a volume from a root-owned container reproduces the
permission error until chown'd.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

gensui/Dockerfile: container runs as root

1 participant