Dockerfile runtime stage runs as root — output files on host owned by root

## Problem

The runtime stage of the `Dockerfile` never drops root privileges. As a result, all files written to bind-mounted `/data/*` paths (outputs, checkpoints, logs, cache, splits) end up owned by `root` on the host, which is both a security concern (increases the container's blast radius) and a practical inconvenience.

## Suggested fix

Add a dedicated non-root system user in the runtime stage, `chown` the application and data directories to that user, and add a `USER` directive before `ENTRYPOINT`:

```dockerfile
RUN groupadd --system waterflow \
    && useradd --system --create-home --gid waterflow waterflow

# (after all COPY/mkdir steps)
RUN chown -R waterflow:waterflow /app /data

USER waterflow
ENTRYPOINT ["/app/entrypoint.sh"]
```

## References

- Flagged during code review of PR #69: https://github.com/diff-use/WaterFlow/pull/69#discussion_r2983376899
- Requested by @marcuscollins

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dockerfile runtime stage runs as root — output files on host owned by root #73

Problem

Suggested fix

References

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Dockerfile runtime stage runs as root — output files on host owned by root #73

Description

Problem

Suggested fix

References

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions