From a151b891b94e2bbcf6cc17b5cd6770e491888c38 Mon Sep 17 00:00:00 2001
From: "Ivana Yovcheva (VMware)" <iyovcheva@vmware.com>
Date: Mon, 9 Jul 2018 18:29:56 +0300
Subject: [PATCH] Update node-armhf template to use non-root user

This updates the node-armhf function template to use a non-root
user. Creates `app` system user  and `app` group

Signed-off-by: Ivana Yovcheva (VMware) <iyovcheva@vmware.com>
---
 template/node-armhf/Dockerfile | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/template/node-armhf/Dockerfile b/template/node-armhf/Dockerfile
index 55a42886..2c41574d 100644
--- a/template/node-armhf/Dockerfile
+++ b/template/node-armhf/Dockerfile
@@ -1,5 +1,7 @@
 FROM arm32v6/alpine:3.6
 
+RUN addgroup -S app && adduser app -S -G app
+
 RUN apk add --no-cache nodejs nodejs-npm ca-certificates
 RUN apk --no-cache add curl \
     && echo "Pulling watchdog binary from Github." \
@@ -7,18 +9,32 @@ RUN apk --no-cache add curl \
     && chmod +x /usr/bin/fwatchdog \
     && apk del curl --no-cache
 
-WORKDIR /root/
+RUN mkdir -p /home/app
+
+# Wrapper/boot-strapper
+WORKDIR /home/app
 
 COPY package.json   .
 
 RUN npm i
+
+WORKDIR /home/app/function
+
 COPY index.js       .
 COPY function       function
-WORKDIR /root/function
 
 ENV NPM_CONFIG_LOGLEVEL warn
 RUN npm i || :
-WORKDIR /root/
+
+COPY --chown=app:app function/ .
+
+WORKDIR /home/app/
+
+RUN chmod +rx -R ./function \
+    && chown app:app -R /home/app \
+    && chmod 777 /tmp
+
+USER app
 
 ENV cgi_headers="true"