From 688efc636132b968117d236f9e7adffd94dc975d Mon Sep 17 00:00:00 2001
From: long-agent <admin@sub2api.local>
Date: Thu, 9 Apr 2026 11:31:32 +0800
Subject: [PATCH] security: run container as non-root user

- Add appgroup and appuser (uid 1000)
- Set ownership of /app directory to appuser
- Switch to non-root user before running server
---
 Dockerfile | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 459c12f..42a3a83 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -26,13 +26,16 @@ WORKDIR /app
 # 安装运行时依赖
 RUN apk add --no-cache ca-certificates tzdata
 
+# 创建非 root 用户
+RUN addgroup -g 1000 appgroup && adduser -u 1000 -G appgroup -s /bin/sh -D appuser
+
 # 从构建阶段复制二进制文件
 COPY --from=builder /build/server .
 COPY --from=builder /build/configs ./configs
 COPY --from=builder /build/data ./data
 
-# 创建日志目录
-RUN mkdir -p /app/logs
+# 创建日志目录并设置权限
+RUN mkdir -p /app/logs && chown -R appuser:appgroup /app
 
 # 设置时区
 ENV TZ=Asia/Shanghai
@@ -45,5 +48,8 @@ EXPOSE 8080
 HEALTHCHECK --interval=30s --timeout=10s --retries=3 --start-period=5s \
     CMD wget -q --spider http://localhost:8080/api/v1/health || exit 1
 
+# 切换到非 root 用户
+USER appuser
+
 # 启动命令
 CMD ["./server"]