🔒(build) improve dockerfile security measures

Author: NielsCodes

src/mpa/rspamd/Dockerfile

@@ -1,7 +1,7 @@
 FROM debian:12.10-slim
 
 RUN apt-get update && \
-    apt-get install -y lsb-release wget gpg ruby nginx netcat-openbsd procps && \
+    apt-get install -y --no-install-recommends lsb-release wget gpg ruby nginx netcat-openbsd procps && \
     rm -rf /var/lib/apt/lists/*
 RUN mkdir -p /etc/apt/keyrings
 RUN wget -O- https://rspamd.com/apt-stable/gpg.key | gpg --dearmor | tee /etc/apt/keyrings/rspamd.gpg > /dev/null
@@ -28,6 +28,11 @@ COPY start.sh /start.sh
 
 RUN chmod +x /start.sh
 
+# Ensure _rspamd user can write nginx config at runtime
+RUN chown -R _rspamd:_rspamd /etc/nginx
+
 ENV PORT=8010
 
+USER _rspamd
+
 CMD ["/start.sh"]

src/mpa/tests/Dockerfile

@@ -6,3 +6,8 @@ COPY requirements.txt .
 RUN pip install --no-cache-dir -r requirements.txt
 
 COPY . .
+
+# Ensure nobody user can write pytest cache files
+RUN chown -R nobody:nogroup /app
+
+USER nobody

src/socks-proxy/Dockerfile

@@ -4,10 +4,7 @@ ARG DANTE_VER=1.4.4
 ARG DANTE_URL=https://www.inet.no/dante/files/dante-$DANTE_VER.tar.gz
 ARG DANTE_SHA256=1973c7732f1f9f0a4c0ccf2c1ce462c7c25060b25643ea90f9b98f53a813faec
 
-RUN <<EOR
-apt-get update
-apt-get install -y build-essential curl
-EOR
+RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates build-essential curl && rm -rf /var/lib/apt/lists/*
 
 RUN <<EOR
 set -eu
@@ -26,5 +23,7 @@ COPY --from=base /usr/local/sbin/sockd /usr/local/sbin/sockd
 
 COPY --chmod=0755 entrypoint.sh /entrypoint.sh
 
+USER nobody
+
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["/usr/local/sbin/sockd"]

src/socks-proxy/tests/Dockerfile

@@ -15,5 +15,10 @@ RUN pip install --no-cache-dir -r requirements.txt
 # Copy test files
 COPY . .
 
+# Ensure nobody user can write pytest cache and coverage files
+RUN chown -R nobody:nogroup /app
+
+USER nobody
+
 # Default command (can be overridden)
 CMD ["pytest", "-v"]