From 46384c7ce6999c858c315ba33d1d7d8f2d115e5b Mon Sep 17 00:00:00 2001
From: Hadrien Patte <hadrien.patte@protonmail.com>
Date: Mon, 22 Apr 2024 20:50:45 +0200
Subject: [PATCH] Run as nonroot user

---
 images/prowlarr/Dockerfile | 13 +++++++++++--
 images/radarr/Dockerfile   | 13 +++++++++++--
 images/sonarr/Dockerfile   | 13 +++++++++++--
 3 files changed, 33 insertions(+), 6 deletions(-)

diff --git a/images/prowlarr/Dockerfile b/images/prowlarr/Dockerfile
index 42ce21e..82a4bc9 100644
--- a/images/prowlarr/Dockerfile
+++ b/images/prowlarr/Dockerfile
@@ -14,10 +14,18 @@ RUN \
         --root /rootfs \
         base-files_base \
         base-files_release-info \
-        base-passwd_data \
         ca-certificates_data \
         dotnet-runtime-8.0_libs \
-        libsqlite3-0_libs
+        libsqlite3-0_libs \
+    && useradd \
+        --root /rootfs \
+        --system \
+        --no-create-home \
+        --uid 1000 \
+        nonroot \
+    && rm /rootfs/etc/.pwd.lock \
+    && mkdir /rootfs/config \
+    && chown 1000 /rootfs/config
 
 # Download prowlarr
 RUN \
@@ -33,4 +41,5 @@ FROM scratch
 COPY --from=builder /rootfs /
 COPY --from=builder /Prowlarr /Prowlarr
 
+USER nonroot
 ENTRYPOINT ["/Prowlarr/Prowlarr", "--nobrowser", "--data=/config"]
diff --git a/images/radarr/Dockerfile b/images/radarr/Dockerfile
index c77e9c2..e3934cb 100644
--- a/images/radarr/Dockerfile
+++ b/images/radarr/Dockerfile
@@ -14,10 +14,18 @@ RUN \
         --root /rootfs \
         base-files_base \
         base-files_release-info \
-        base-passwd_data \
         ca-certificates_data \
         dotnet-runtime-8.0_libs \
-        libsqlite3-0_libs
+        libsqlite3-0_libs \
+    && useradd \
+        --root /rootfs \
+        --system \
+        --no-create-home \
+        --uid 1000 \
+        nonroot \
+    && rm /rootfs/etc/.pwd.lock \
+    && mkdir /rootfs/config \
+    && chown 1000 /rootfs/config
 
 # Download radarr
 RUN \
@@ -33,4 +41,5 @@ FROM scratch
 COPY --from=builder /rootfs /
 COPY --from=builder /Radarr /Radarr
 
+USER nonroot
 ENTRYPOINT ["/Radarr/Radarr", "--nobrowser", "--data=/config"]
diff --git a/images/sonarr/Dockerfile b/images/sonarr/Dockerfile
index 1fc8d11..250d0f3 100644
--- a/images/sonarr/Dockerfile
+++ b/images/sonarr/Dockerfile
@@ -14,10 +14,18 @@ RUN \
         --root /rootfs \
         base-files_base \
         base-files_release-info \
-        base-passwd_data \
         ca-certificates_data \
         dotnet-runtime-8.0_libs \
-        libsqlite3-0_libs
+        libsqlite3-0_libs \
+    && useradd \
+        --root /rootfs \
+        --system \
+        --no-create-home \
+        --uid 1000 \
+        nonroot \
+    && rm /rootfs/etc/.pwd.lock \
+    && mkdir /rootfs/config \
+    && chown 1000 /rootfs/config
 
 # Download sonarr
 RUN \
@@ -33,4 +41,5 @@ FROM scratch
 COPY --from=builder /rootfs /
 COPY --from=builder /Sonarr /Sonarr
 
+USER nonroot
 ENTRYPOINT ["/Sonarr/Sonarr", "--nobrowser", "--data=/config"]