From 1aca4c4a41fa294f5715382aaad4154d29c772c0 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Sun, 17 May 2026 16:46:25 +0200
Subject: [PATCH] security(ocr): add non-root user and set HOME/HF_HOME in
 Dockerfile
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CIS Docker §4.1: run uvicorn as UID 1000 (ocr) instead of root.
Creates /home/ocr and /app/cache with correct ownership so named
volumes inherit ocr:ocr on first Docker mount. Sets HOME and HF_HOME
so ~ expansion and Hugging Face caching resolve under /app, not /root.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 ocr-service/Dockerfile | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/ocr-service/Dockerfile b/ocr-service/Dockerfile
index 2de1d862..e6d60360 100644
--- a/ocr-service/Dockerfile
+++ b/ocr-service/Dockerfile
@@ -23,8 +23,16 @@ RUN pip install --no-cache-dir -r requirements.txt
 
 COPY . .
 
+RUN useradd --no-create-home --shell /usr/sbin/nologin --uid 1000 ocr \
+    && mkdir -p /home/ocr /app/models /app/cache \
+    && chown -R ocr:ocr /app /home/ocr
 RUN chmod +x /app/entrypoint.sh
 
+ENV HOME=/home/ocr
+ENV HF_HOME=/app/cache
+
+USER ocr
+
 EXPOSE 8000
 
 CMD ["/app/entrypoint.sh"]