From 5bfecfcefe3f0e9dc92185c2bfe64a1c5bcb27fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Wed, 3 Jun 2020 01:35:08 +0200
Subject: [PATCH] Run docker as non root, copy package-json.lock

---
 backend/Dockerfile    | 15 ++++++++++-----
 backend/entrypoint.sh | 17 +++++++++++++++++
 2 files changed, 27 insertions(+), 5 deletions(-)
 create mode 100755 backend/entrypoint.sh

diff --git a/backend/Dockerfile b/backend/Dockerfile
index 5e42ad8..d4ce0c5 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -1,20 +1,25 @@
 FROM alpine:3.12
 
+ENV UID=1000 GID=1000
+RUN export user=youtube \
+  && addgroup -S $user -g $GID && adduser -D -S $user -G $user -u $UID
+USER $user
+
 RUN apk add --no-cache \
+    ffmpeg \
     npm \
     python2 \
-    ffmpeg \
+    su-exec  \
   && apk add --no-cache --repository http://dl-cdn.alpinelinux.org/alpine/edge/testing/ \
     atomicparsley
 
 WORKDIR /app
 
-COPY package.json /app/
-
+COPY --chown=$UID:$GID [ "package.json", "package-lock.json", "/app/" ]
 RUN npm install
 
-COPY ./ /app/
+COPY --chown=$UID:$GID [ "./", "/app/" ]
 
 EXPOSE 17442
-
+ENTRYPOINT [ "/app/entrypoint.sh" ]
 CMD [ "node", "app.js" ]
diff --git a/backend/entrypoint.sh b/backend/entrypoint.sh
new file mode 100755
index 0000000..137e984
--- /dev/null
+++ b/backend/entrypoint.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+set -eu
+
+CMD="node app.js"
+
+# if the first arg starts with "-" pass it to program
+if [ "${1#-}" != "$1" ]; then
+  set -- "$CMD" "$@"
+fi
+
+# chown current working directory to current user
+if [ "$@" = "$CMD" ] && [ "$(id -u)" = "0" ]; then
+  find . \! -user "$UID" -exec chown "$UID:$GID" -R '{}' +
+  exec su-exec "$UID:$GID" "$0" "$@"
+fi
+
+exec "$@"