Do not let mastodon own its files

Letting mastodon own its files allows it to overwrite them, which seems like a security risk. You don't expect postgres binary to be owned by postgres user, the same thing applies here. I also reordered `COPY` directive to make copy from build image cacheable. Previously `--link` was not available, but it is now: * moby/buildkit#2987
bobrik · Nov 20, 2022 · 4fb5ff1 · 4fb5ff1
1 parent 231e3ec
commit 4fb5ff1
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -74,22 +74,25 @@ RUN apt-get update && \
 # Note: no, cleaning here since Debian does this automatically
 # See the file /etc/apt/apt.conf.d/docker-clean within the Docker image's filesystem
 
-COPY --chown=mastodon:mastodon . /opt/mastodon
-COPY --chown=mastodon:mastodon --from=build /opt/mastodon /opt/mastodon
+COPY --link --from=build /opt/mastodon /opt/mastodon
+COPY --link . /opt/mastodon
+
+RUN mkdir /opt/mastodon/tmp && chown mastodon:mastodon /opt/mastodon/tmp
 
 ENV RAILS_ENV="production" \
     NODE_ENV="production" \
     RAILS_SERVE_STATIC_FILES="true" \
     BIND="0.0.0.0"
 
-# Set the run user
-USER mastodon
 WORKDIR /opt/mastodon
 
 # Precompile assets
 RUN OTP_SECRET=precompile_placeholder SECRET_KEY_BASE=precompile_placeholder rails assets:precompile && \
     yarn cache clean
 
+# Set the run user
+USER mastodon
+
 # Set the work dir and the container entry point
 ENTRYPOINT ["/usr/bin/tini", "--"]
 EXPOSE 3000 4000