From 5231b277d03d340ec2dbe24fad8c0fae4b768045 Mon Sep 17 00:00:00 2001
From: Lyra Thorpe <iam@emmathe.dev>
Date: Wed, 17 Jun 2026 17:16:29 +0100
Subject: [PATCH] chore: run container as non-root user

Create a dedicated appuser/appuser system user and group, ensure the
copied application file is owned by it, and switch to that user with
USER before CMD. EXPOSE 110 25 is unchanged; ports are published via the
host -p mapping, so binding them as non-root works in the default Docker
network namespace without CAP_NET_BIND_SERVICE.

Fixes #7

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 Dockerfile | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 89c1dea..b6a8d90 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,11 +3,16 @@ FROM python:3.12-slim
 WORKDIR /app
 ENV PYTHONUNBUFFERED=1
 
+# Create a dedicated non-root user and group to run the proxy.
+RUN groupadd --system appuser && useradd --system --gid appuser appuser
+
 COPY requirements.txt ./
 RUN pip install --no-cache-dir -r requirements.txt
 
-COPY proxy_server.py ./
+COPY --chown=appuser:appuser proxy_server.py ./
 
 EXPOSE 110 25
 
+USER appuser
+
 CMD ["python", "proxy_server.py"]
-- 
2.52.0