marcel/familienarchiv
1
0
Fork 0
Code Issues 114 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

security(ocr): log warning on startup when running as root
All checks were successful
CI / Unit & Component Tests (pull_request) Successful in 3m3s
Details
CI / OCR Service Tests (pull_request) Successful in 18s
Details
CI / Backend Unit Tests (pull_request) Successful in 3m10s
Details
CI / fail2ban Regex (pull_request) Successful in 42s
Details
CI / Semgrep Security Scan (pull_request) Successful in 19s
Details
CI / Compose Bucket Idempotency (pull_request) Successful in 59s
Details

Browse Source 
Adds a canary log line if os.getuid() == 0. Produces an observable
signal in container logs if the USER directive is ever removed from
the Dockerfile, without requiring an external audit tool.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marcel
2026-05-17 16:51:00 +02:00
parent 9db42d6cc1
commit 581ba01d8d
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ocr-service/main.py
View File

@@ -56,6 +56,8 @@ async def lifespan(app: FastAPI):
"""Load lightweight models at startup. Surya loads lazily on first request.""" """Load lightweight models at startup. Surya loads lazily on first request."""
global _models_ready global _models_ready
if os.getuid() == 0:
logger.warning("Running as root — CIS Docker §4.1 violation")
logger.info("Loading Kraken model at startup (Surya loads lazily on first OCR request)...") logger.info("Loading Kraken model at startup (Surya loads lazily on first OCR request)...")
kraken_engine.load_models() kraken_engine.load_models()
load_spell_checker() load_spell_checker()