From 96fced8e567f56d8de540dd097c80c7648dc046f Mon Sep 17 00:00:00 2001
From: BOPOHA <vorona.tolik@gmail.com>
Date: Sat, 30 Oct 2021 22:12:02 +0200
Subject: [PATCH] Run app with non-root user; fix #100

---
 Dockerfile | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index c8a42bd9d..4a3c0b973 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,6 +2,10 @@
 ARG GO_VERSION=1.17
 FROM golang:${GO_VERSION}-alpine as build
 
+# empty dir and /etc/passwd file to run transfer with unprivileged user
+RUN install -g nobody -o nobody -m 0770 -d /tmp/empty-dir-owned-by-nobody
+RUN echo 'nobody:x:65534:65534:nobody:/:/sbin/nologin' > /tmp/passwd
+
 # Necessary to run 'go get' and to compile the linked binary
 RUN apk add git musl-dev
 
@@ -17,9 +21,12 @@ RUN CGO_ENABLED=0 go build -tags netgo -ldflags "-X github.com/dutchcoders/trans
 FROM scratch AS final
 LABEL maintainer="Andrea Spacca <andrea.spacca@gmail.com>"
 
+COPY --chown=65534:65534 --from=build /tmp/empty-dir-owned-by-nobody /tmp
+COPY --from=build  /tmp/passwd /etc/passwd
 COPY --from=build  /go/bin/transfersh /go/bin/transfersh
 COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 
+USER nobody
 ENTRYPOINT ["/go/bin/transfersh", "--listener", ":8080"]
 
 EXPOSE 8080