From 581ba01d8d2a5ea54ca510bea92df3399163ffb7 Mon Sep 17 00:00:00 2001 From: Marcel Date: Sun, 17 May 2026 16:51:00 +0200 Subject: [PATCH] security(ocr): log warning on startup when running as root Adds a canary log line if os.getuid() == 0. Produces an observable signal in container logs if the USER directive is ever removed from the Dockerfile, without requiring an external audit tool. Co-Authored-By: Claude Sonnet 4.6 --- ocr-service/main.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ocr-service/main.py b/ocr-service/main.py index bc541c78..783bf224 100644 --- a/ocr-service/main.py +++ b/ocr-service/main.py @@ -56,6 +56,8 @@ async def lifespan(app: FastAPI): """Load lightweight models at startup. Surya loads lazily on first request.""" global _models_ready + if os.getuid() == 0: + logger.warning("Running as root — CIS Docker §4.1 violation") logger.info("Loading Kraken model at startup (Surya loads lazily on first OCR request)...") kraken_engine.load_models() load_spell_checker()