From 6e7202083107466e095e782508d66ee50658949d Mon Sep 17 00:00:00 2001
From: Kim Carter <Kim.Carter@binarymist.net>
Date: Mon, 12 Sep 2016 14:35:28 +1200
Subject: [PATCH 1/4] Docker as non root user. docker-compose build now
 succeeds.

---
 Dockerfile   | 22 ++++++++++++++++++----
 package.json |  2 +-
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 3a9760a82..5909d4bde 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,10 +1,24 @@
 FROM node:4.4
 
-RUN mkdir -p /usr/src/app
-WORKDIR /usr/src/app
-COPY package.json /usr/src/app/
+ENV user nodegoat_docker
+ENV workdir /usr/src/app/
+
+RUN useradd --create-home --system --shell /bin/false nodegoat_docker_compose
+
+# Home is required for npm install. System account with no ability to login to shell
+RUN useradd --create-home --system --shell /bin/false $user
+
+RUN mkdir -p $workdir
+WORKDIR $workdir
+COPY package.json $workdir
+
+# chown is required by npm install.
+RUN chown $user --recursive $workdir
+# Then all further actions including running the containers should be done under non-root user.
+USER $user
+
 RUN npm install
-COPY . /usr/src/app/
+COPY . $workdir
 
 # Neither of the following work, because the mongo container isn't yet running.
 #RUN node artifacts/db-reset.js
diff --git a/package.json b/package.json
index d8607ac11..368b70a52 100644
--- a/package.json
+++ b/package.json
@@ -29,7 +29,7 @@
   },
   "devDependencies": {
     "async": "^2.0.0-rc.4",
-    "grunt": "^1.0.1",
+    "grunt": "~0.4.5",
     "grunt-cli": "^1.2.0",
     "grunt-concurrent": "^2.3.0",
     "grunt-contrib-jshint": "^1.0.0",

From ec0cbc83486f7c2ccfd05e9a940405f986dd13a3 Mon Sep 17 00:00:00 2001
From: Kim Carter <Kim.Carter@binarymist.net>
Date: Tue, 13 Sep 2016 13:50:31 +1200
Subject: [PATCH 2/4] Removed redundant line in Dockerfile. Mongod now running
 as non-root user.

---
 Dockerfile         | 2 --
 docker-compose.yml | 1 +
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 5909d4bde..cb63de68f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,8 +3,6 @@ FROM node:4.4
 ENV user nodegoat_docker
 ENV workdir /usr/src/app/
 
-RUN useradd --create-home --system --shell /bin/false nodegoat_docker_compose
-
 # Home is required for npm install. System account with no ability to login to shell
 RUN useradd --create-home --system --shell /bin/false $user
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 3afdf1bd7..633e6e725 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,5 +10,6 @@ services:
       - mongo
   mongo:
     image: mongo:latest
+    user: mongodb
     expose:
       - "27017"

From b723ccb174564b627750bd795a78abfe84251b72 Mon Sep 17 00:00:00 2001
From: Kim Carter <Kim.Carter@binarymist.net>
Date: Tue, 13 Sep 2016 20:58:24 +1200
Subject: [PATCH 3/4] Reaply non-root user ownership after docker COPY and
 remove other permissions.

---
 Dockerfile | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index cb63de68f..68e7d0124 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,14 +10,23 @@ RUN mkdir -p $workdir
 WORKDIR $workdir
 COPY package.json $workdir
 
-# chown is required by npm install.
-RUN chown $user --recursive $workdir
+# chown is required by npm install as a non-root user.
+RUN chown $user:$user --recursive $workdir
+
 # Then all further actions including running the containers should be done under non-root user.
 USER $user
-
 RUN npm install
 COPY . $workdir
 
+# Permissions need to be reaplied, due to how docker applies root to new files.
+USER root
+RUN chown $user:$user --recursive $workdir
+RUN chmod --recursive o-wrx $workdir
+
+RUN ls -liah
+RUN ls ../ -liah
+USER $user
+
 # Neither of the following work, because the mongo container isn't yet running.
 #RUN node artifacts/db-reset.js
 #ONBUILD RUN node artifacts/db-reset.js

From 4dcfaf715acc11d2dea8b986b22c54cbcaa77481 Mon Sep 17 00:00:00 2001
From: Kim Carter <Kim.Carter@binarymist.net>
Date: Wed, 14 Sep 2016 11:33:00 +1200
Subject: [PATCH 4/4] A little more explicit about command parameter.

---
 Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 68e7d0124..b489ead95 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,7 +6,7 @@ ENV workdir /usr/src/app/
 # Home is required for npm install. System account with no ability to login to shell
 RUN useradd --create-home --system --shell /bin/false $user
 
-RUN mkdir -p $workdir
+RUN mkdir --parents $workdir
 WORKDIR $workdir
 COPY package.json $workdir
 
@@ -18,7 +18,7 @@ USER $user
 RUN npm install
 COPY . $workdir
 
-# Permissions need to be reaplied, due to how docker applies root to new files.
+# Permissions need to be reapplied, due to how docker applies root to new files.
 USER root
 RUN chown $user:$user --recursive $workdir
 RUN chmod --recursive o-wrx $workdir