From e54c66a2f025491ed466211b2acfddc5d82674f0 Mon Sep 17 00:00:00 2001
From: Matt Conway <matt@conwaysplace.com>
Date: Mon, 13 Feb 2023 11:18:40 -0500
Subject: [PATCH] Use non-root user and prevent writing to Gemfile.lock at
 runtime

---
 Dockerfile | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index cc61b4c..39c7176 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,10 +1,13 @@
 FROM ruby:3.0-alpine AS base
 
+ARG APP_USER_UID=65532
+ARG APP_USER_GID=65532
+
 ENV APP_DIR="/srv/app" \
     BUNDLE_PATH="/srv/bundler" \
     BUILD_PACKAGES="build-base ruby-dev" \
     APP_PACKAGES="bash curl tzdata git less" \
-    RELEASE_PACKAGES="bash" \
+    RELEASE_PACKAGES="bash shadow" \
     APP_USER="app"
 
 # Thes env var definitions reference values from the previous definitions, so
@@ -55,9 +58,18 @@ RUN apk add --no-cache \
     --virtual app \
     $RELEASE_PACKAGES
 
+# Create a non-root user for running the container
+RUN groupadd -g $APP_USER_GID $APP_USER
+RUN useradd --no-log-init --create-home --shell /bin/false --gid $APP_USER_GID --uid $APP_USER_UID $APP_USER
+
 COPY --from=build $BUNDLE_PATH $BUNDLE_PATH
 COPY --from=build $APP_DIR $APP_DIR
 
+# make sure Gemfile.lock has correct platform so running doesn't require touching it
+RUN ruby -r 'bundler/setup' -e ''
+
+USER ${APP_USER}
+
 # Specify the script to use when running the container
 ENTRYPOINT ["entrypoint.sh"]
 # Start the main app process by sending the "app" parameter to the entrypoint