From 70c1f97625e719406897821fa55c88acc31ba05f Mon Sep 17 00:00:00 2001
From: Kieran Eglin <kieran.eglin@gmail.com>
Date: Wed, 3 Apr 2024 17:36:52 -0700
Subject: [PATCH] re-added removal of root password

---
 selfhosted.Dockerfile | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/selfhosted.Dockerfile b/selfhosted.Dockerfile
index 5f30517e..0dfc70a7 100644
--- a/selfhosted.Dockerfile
+++ b/selfhosted.Dockerfile
@@ -108,6 +108,17 @@ EXPOSE ${PORT}
 # Only copy the final release from the build stage
 COPY --from=builder /app/_build/${MIX_ENV}/rel/pinchflat ./
 
+# NEVER do this if you're running in an environment where you don't trust the user
+# (ie: most environments). This is only acceptable in a self-hosted environment.
+# The user could just run the whole container as root and bypass this anyway so
+# it's not a huge deal.
+# This removes the root password to allow users to assume root if needed. This is
+# preferrable to running the whole container as root so that the files/directories
+# created by the app aren't owned by root and are therefore easier for other users
+# and processes to interact with. If you want to just run the whole container as
+# root, use --user 0:0 or something.
+RUN passwd -d root
+
 # If using an environment that doesn't automatically reap zombie processes, it is
 # advised to add an init process such as tini via `apt-get install`
 # above and adding an entrypoint. See https://github.com/krallin/tini for details