fix(gensui): run container as non-root user#19
Open
wstlima wants to merge 1 commit into
Open
Conversation
Trivy misconfig scan (HIGH): gensui/Dockerfile has no USER instruction, so the container runs as root — an unnecessary privilege escalation surface if any dependency (this Dockerfile pulls in torch, transformers, playwright, etc.) is ever compromised via a supply-chain issue or the app itself has an RCE. Fix: create a dedicated `gensui` user/group (uid/gid 1000, matching the common non-root default so bind-mounted host directories don't end up owned by an unexpected uid), chown /app to it, and switch to it with USER before the final CMD. Done as the last build step so earlier layers (apt-get, pip install, npm build) still run as root, which they need for package installation. /app/data and /app/logs (the VOLUME mount points) are chowned in the same RUN step, so the non-root user can still write to them at runtime. MIGRATION NOTE for existing deployments: if you already have a gensui_data / gensui_logs volume from a previous (root) container run, its files are owned by root and the new non-root user won't be able to write to them — SQLite will fail with "attempt to write a readonly database" on startup. Fix with either: docker run --rm -v gensui_data:/data alpine chown -R 1000:1000 /data docker run --rm -v gensui_logs:/logs alpine chown -R 1000:1000 /logs ...or start fresh with new volumes if the existing data isn't needed. Verified both paths: a fresh `docker compose up` (new volumes) starts cleanly; reusing a volume from a root-owned container reproduces the permission error until chown'd.
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #10
Summary
Trivy misconfig scan (HIGH):
gensui/Dockerfilehas noUSERinstruction, so the container runs as root — an unnecessary privilege escalation surface if any dependency (this Dockerfile pulls in torch, transformers, playwright, etc.) is ever compromised via a supply-chain issue or the app itself has an RCE.Fix
Create a dedicated
gensuiuser/group (uid/gid 1000),chown /appto it, switch withUSERbefore the finalCMD. Done as the last build step so earlier layers (apt-get, pip install, npm build) still run as root, which they need for package installation./app/dataand/app/logs(theVOLUMEmount points) are chowned in the sameRUNstep.If you already have a
gensui_data/gensui_logsvolume from a previous (root) container run, its files are owned by root and the new non-root user won't be able to write to them — SQLite will fail withattempt to write a readonly databaseon startup. Fix with either:...or start fresh with new volumes if the existing data isn't needed.
Test plan
docker compose up(new volumes) starts cleanly,whoamiinside the container returnsgensui(uid 1000)chown'd — confirmed and documented aboveGET /api/gensui/healthandGET /(frontend) both return 200 as the non-root user