From 7930235efdd7b4ef4bbe94703450e3052bb965ef Mon Sep 17 00:00:00 2001
From: Lyra Thorpe <iam@emmathe.dev>
Date: Wed, 17 Jun 2026 17:33:23 +0100
Subject: [PATCH] Run container as non-root user (#11)

Adds a dedicated non-root user and switches to it before CMD. Verified the container runs as a non-root uid. Closes #7

Reviewed-on: https://code.emmathe.dev/lyrathorpe/legacy-email-proxy/pulls/11
Co-authored-by: Lyra Thorpe <iam@emmathe.dev>
Co-committed-by: Lyra Thorpe <iam@emmathe.dev>
---
 Dockerfile | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 89c1dea..b6a8d90 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,11 +3,16 @@ FROM python:3.12-slim
 WORKDIR /app
 ENV PYTHONUNBUFFERED=1
 
+# Create a dedicated non-root user and group to run the proxy.
+RUN groupadd --system appuser && useradd --system --gid appuser appuser
+
 COPY requirements.txt ./
 RUN pip install --no-cache-dir -r requirements.txt
 
-COPY proxy_server.py ./
+COPY --chown=appuser:appuser proxy_server.py ./
 
 EXPOSE 110 25
 
+USER appuser
+
 CMD ["python", "proxy_server.py"]