From 63748371566bda4c21de5fef1264311e229e2022 Mon Sep 17 00:00:00 2001
From: cn <cn@mycrobase.de>
Date: Fri, 2 Apr 2021 10:54:48 +0200
Subject: [PATCH] docker: run as non-root user by default

---
 CHANGELOG.md      | 6 ++++++
 docker/Dockerfile | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 641db74..afdb51b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## 3.4.0 (April 2, 2021)
+
+IMPROVEMENTS:
+
+- **change** Docker image to run as non-root user `65534` by default, limits attack surface for security and gives OpenShift compatibility
+
 ## 3.3.3 (April 1, 2021)
 
 OTHER:
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 361c530..6d47b4e 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -12,4 +12,10 @@ RUN apk --no-cache add openssl ca-certificates && \
     cp /usr/share/zoneinfo/Europe/Berlin /etc/localtime && \
     apk del .build-deps
 
+# Follow the principle of least privilege: run as unprivileged user.
+# Running as non-root enables running this image in platforms like OpenShift
+# that do not allow images running as root.
+# User ID 65534 is usually user 'nobody'.
+USER 65534
+
 ENTRYPOINT ["dyndnsd", "/etc/dyndnsd/config.yml"]